pending stable kernel security updates
Hello! I've got more pending kernel updates waiting in the
ubuntu-security git trees now: dapper feisty gutsy hardy CVE-2007-6282: pending pending pending pending CVE-2008-1615: needed needed needed needed CVE-2008-1673: pending pending pending pending CVE-2008-2136: pending pending pending pending CVE-2008-2137: pending pending pending pending CVE-2008-2148: N/A N/A pending pending CVE-2008-2358: N/A pending pending pending CVE-2008-2750: N/A N/A N/A pending I need help with CVE-2008-1615: the code has changed a lot between revisions, has been touched by the virt bits, and is pretty non-obvious to me. I'd like to publish as soon as possible after 8.04.1 is released. To that end, can someone start build and boot testing? None of the patches looked like ABI bumpers. Thanks, -Kees -- Kees Cook Ubuntu Security Team -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
Kees Cook wrote:
> Hello! I've got more pending kernel updates waiting in the > ubuntu-security git trees now: > > dapper feisty gutsy hardy > CVE-2007-6282: pending pending pending pending > CVE-2008-1615: needed needed needed needed > CVE-2008-1673: pending pending pending pending > CVE-2008-2136: pending pending pending pending > CVE-2008-2137: pending pending pending pending > CVE-2008-2148: N/A N/A pending pending > CVE-2008-2358: N/A pending pending pending > CVE-2008-2750: N/A N/A N/A pending > > I need help with CVE-2008-1615: the code has changed a lot between > revisions, has been touched by the virt bits, and is pretty non-obvious > to me. > > I'd like to publish as soon as possible after 8.04.1 is released. To > that end, can someone start build and boot testing? None of the patches > looked like ABI bumpers. > > Thanks, > > -Kees > Kees - As far as I can tell CVE-2008-1615 does not apply to Dapper/Feisty/Gutsy/Hardy. See https://bugzilla.redhat.com/show_bug.cgi?id=431430 The issue was introduced with commit 72fe4858544292ad64600765cb78bc02298c6b1c which was during the 2.6.25 merge window. The key is that the definition of 'iret_label' was changed, i.e., it lost its alignment statement: - .quad iret_label,bad_iret + .quad native_iret, bad_iret Yet the interrupt return code later on continued to use 'iret_label' which is now unaligned (a bad thing): leaq iret_label(%rip),%rbp You can also read Roland McGrath's somewhat caustic commit log entry in a57dae3aa4d00a000b5bac4238025438204c78b2 if you are in need of some humor. rtg -- Tim Gardner tim.gardner@ubuntu.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
On Tue, Jun 24, 2008 at 08:45:38AM -0600, Tim Gardner wrote:
> Kees Cook wrote: > > I need help with CVE-2008-1615: the code has changed a lot between > > revisions, has been touched by the virt bits, and is pretty non-obvious > > to me. > > Kees - As far as I can tell CVE-2008-1615 does not apply to > Dapper/Feisty/Gutsy/Hardy. See That's what I was thinking too, except that I got seriously confused comparing the upstream fix (a57dae3aa4d00a000b5bac4238025438204c78b2) with what was in the RH bug and what Debian used: https://bugzilla.redhat.com/attachment.cgi?id=294062 http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-cs-corruption.patch?op=file&rev=0&sc=0 It seems almost unrelated to the upstream commit. ? > You can also read Roland McGrath's somewhat caustic commit log entry in > a57dae3aa4d00a000b5bac4238025438204c78b2 if you are in need of some humor. Yeah, owchy. :) -Kees -- Kees Cook Ubuntu Security Team -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
Kees Cook wrote:
> On Tue, Jun 24, 2008 at 08:45:38AM -0600, Tim Gardner wrote: >> Kees Cook wrote: >>> I need help with CVE-2008-1615: the code has changed a lot between >>> revisions, has been touched by the virt bits, and is pretty non-obvious >>> to me. >> Kees - As far as I can tell CVE-2008-1615 does not apply to >> Dapper/Feisty/Gutsy/Hardy. See > > That's what I was thinking too, except that I got seriously confused > comparing the upstream fix (a57dae3aa4d00a000b5bac4238025438204c78b2) > with what was in the RH bug and what Debian used: > > https://bugzilla.redhat.com/attachment.cgi?id=294062 > http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-cs-corruption.patch?op=file&rev=0&sc=0 > > It seems almost unrelated to the upstream commit. ? > >> You can also read Roland McGrath's somewhat caustic commit log entry in >> a57dae3aa4d00a000b5bac4238025438204c78b2 if you are in need of some humor. > > Yeah, owchy. :) > > -Kees > It looks like there are 2 ways CS can get corrupted (and two fixes for these corruption cases), e.g., the original patch against 2.6.4 and higher (the Debian patch), and the Roland McGrath patch (which is a bit of a red herring in the bugzilla report, nor does it really apply to this CVE). The Debian patch looks correct. Its my guess that 'RESTORE_ALL 8' immediately prior to 'iretq' does not restore segment registers. Due to assembler magic the jump to the iret_label symbol will load CS with the destination segment, in essence restoring CS to the trap segment which is necessary for a successful 'iretq'. rtg -- Tim Gardner tim.gardner@ubuntu.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
Hi Tim,
On Tue, Jun 24, 2008 at 10:21:01AM -0600, Tim Gardner wrote: > The Debian patch looks correct. Its my guess that 'RESTORE_ALL 8' > immediately prior to 'iretq' does not restore segment registers. Due to > assembler magic the jump to the iret_label symbol will load CS with the > destination segment, in essence restoring CS to the trap segment which > is necessary for a successful 'iretq'. Okay, great. I've pushed the patch into the ubuntu-security trees. Thanks again for digging this up! -Kees -- Kees Cook Ubuntu Security Team -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
> Hello! I've got more pending kernel updates waiting in the > ubuntu-security git trees now: Here's an update, given the 4 recently-public CVEs. Current state of the CVEs, where "pending" means the fix is in the corresponding ubuntu-security git repo: dapper feisty gutsy hardy CVE-2007-6282 pending pending pending pending CVE-2007-6712 not-affected pending pending not-affected CVE-2008-0598 needs-triage needs-triage needs-triage not-affected CVE-2008-1615 pending pending pending pending CVE-2008-1673 pending pending pending pending CVE-2008-2136 pending pending pending pending CVE-2008-2137 pending pending pending pending CVE-2008-2148 not-affected not-affected pending pending CVE-2008-2358 not-affected pending pending pending CVE-2008-2372 not-affected not-affected not-affected needed CVE-2008-2729 pending not-affected not-affected not-affected CVE-2008-2750 not-affected not-affected not-affected pending CVE-2008-2826 pending pending pending pending I will likely ignore CVE-2008-2372, as I don't think it's actually a vulnerability. What I now need help with is CVE-2008-0598 and CVE-2008-2729. The changes are pretty different from release to release. Looking at other vendor's patches just make me feel even less secure about doing the merges myself. I think I have CVE-2008-2729 sorted out, but I'd to have the commit I used double-checked. CVE-2008-0598 http://lkml.org/lkml/diff/2008/6/25/157/1 and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f Thanks guys, -Kees -- Kees Cook Ubuntu Security Team -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
Kees Cook wrote:
> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote: >> Hello! I've got more pending kernel updates waiting in the >> ubuntu-security git trees now: > > Here's an update, given the 4 recently-public CVEs. Current state of > the CVEs, where "pending" means the fix is in the corresponding > ubuntu-security git repo: > > dapper feisty gutsy hardy > CVE-2007-6282 pending pending pending pending > CVE-2007-6712 not-affected pending pending not-affected > CVE-2008-0598 needs-triage needs-triage needs-triage not-affected > CVE-2008-1615 pending pending pending pending > CVE-2008-1673 pending pending pending pending > CVE-2008-2136 pending pending pending pending > CVE-2008-2137 pending pending pending pending > CVE-2008-2148 not-affected not-affected pending pending > CVE-2008-2358 not-affected pending pending pending > CVE-2008-2372 not-affected not-affected not-affected needed > CVE-2008-2729 pending not-affected not-affected not-affected > CVE-2008-2750 not-affected not-affected not-affected pending > CVE-2008-2826 pending pending pending pending > > I will likely ignore CVE-2008-2372, as I don't think it's actually a > vulnerability. What I now need help with is CVE-2008-0598 and > CVE-2008-2729. The changes are pretty different from release to > release. Looking at other vendor's patches just make me feel even less > secure about doing the merges myself. I think I have CVE-2008-2729 > sorted out, but I'd to have the commit I used double-checked. > > CVE-2008-0598 > http://lkml.org/lkml/diff/2008/6/25/157/1 > and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f > > Thanks guys, > > -Kees > Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from: git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master CVE-2008-2729 is kind of related, but different. Some of the symptoms appear similar. Backporting the copy_user assembler is going to be quite difficult. However, it has yet to land upstream. rtg -- Tim Gardner tim.gardner@ubuntu.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
pending stable kernel security updates
Tim Gardner wrote:
> Kees Cook wrote: >> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote: >>> Hello! I've got more pending kernel updates waiting in the >>> ubuntu-security git trees now: >> Here's an update, given the 4 recently-public CVEs. Current state of >> the CVEs, where "pending" means the fix is in the corresponding >> ubuntu-security git repo: >> >> dapper feisty gutsy hardy >> CVE-2007-6282 pending pending pending pending >> CVE-2007-6712 not-affected pending pending not-affected >> CVE-2008-0598 needs-triage needs-triage needs-triage not-affected >> CVE-2008-1615 pending pending pending pending >> CVE-2008-1673 pending pending pending pending >> CVE-2008-2136 pending pending pending pending >> CVE-2008-2137 pending pending pending pending >> CVE-2008-2148 not-affected not-affected pending pending >> CVE-2008-2358 not-affected pending pending pending >> CVE-2008-2372 not-affected not-affected not-affected needed >> CVE-2008-2729 pending not-affected not-affected not-affected >> CVE-2008-2750 not-affected not-affected not-affected pending >> CVE-2008-2826 pending pending pending pending >> >> I will likely ignore CVE-2008-2372, as I don't think it's actually a >> vulnerability. What I now need help with is CVE-2008-0598 and >> CVE-2008-2729. The changes are pretty different from release to >> release. Looking at other vendor's patches just make me feel even less >> secure about doing the merges myself. I think I have CVE-2008-2729 >> sorted out, but I'd to have the commit I used double-checked. >> >> CVE-2008-0598 >> http://lkml.org/lkml/diff/2008/6/25/157/1 >> and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f >> >> Thanks guys, >> >> -Kees >> > > Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from: > > git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master > git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master > git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master > > CVE-2008-2729 is kind of related, but different. Some of the symptoms > appear similar. Backporting the copy_user assembler is going to be quite > difficult. However, it has yet to land upstream. > > rtg Kees - Please pull from git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-dapper master git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-feisty master git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-gutsy master git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-hardy master These are the fully packaged versions with correct changelog and ABI files. The corresponding i386 and amd64 binary packages can be found at chinstrap.canonical.com:~rtg/kern/security. If your boot and regression tests prove successful, then I think these security updates are ready to be uploaded. rtg -- Tim Gardner tim.gardner@ubuntu.com -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
| All times are GMT. The time now is 05:45 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.