Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 31 Jan 2014 19:18:33 +0100
From: rf@...eap.de
To: oss-security@...ts.openwall.com
Subject: Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32
	(CVE-2014-0038)

>>>>> "SD" == Solar Designer <solar@...nwall.com> writes:

    SD> On Fri, Jan 31, 2014 at 04:11:16AM +0400, Solar Designer wrote:
    >> [...] I guess the newer patch (from the second forwarded message
    >> above) is preferable (the one I expect to see committed soon).

    SD> Here's the commit:

    SD> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/compat.c?id=2def2ef2ae5f3990aabdbe8a755911902707d268

    >> It appears, from the linux-distros discussion, that a couple of
    >> distros are going to release emergency security updates for this.
    >> If they did not express interest in an extra day of embargo, the
    >> issue would likely be made public on the first day (not on the
    >> second).

    SD> Ubuntu advisories and updates:

    SD> http://www.ubuntu.com/usn/usn-2096-1/
    SD> http://www.ubuntu.com/usn/usn-2095-1/
    SD> http://www.ubuntu.com/usn/usn-2094-1/

    SD> Even though the issue was easy to patch, I nevertheless find
    SD> this impressively quick for a major distro like Ubuntu, and this
    SD> probably justifies the extra day of embargo.

Yup, was good for us too, so we could double-check that the proposed fix
from your mail is working OK for others as well, since it hasn't arrived in
the kernel.org stable-queue git yet. By the way, Ubuntu used the longer
original patch, which we used [1] in the end as well (saw too late that Linus
already committed the shorter one).

Coming back to our earlier discussion about linux-distros membership [2]:
It definitely helped being on the list. Since the patch was trivial,
we didn't suffer a significant time delay compared to other distros. In
case of more complicated patches, this could have gotten tough though
given the fact that the new builds need a significant amount of testing as
well.

It would be nice, if we (and others in a similar boat) could get a
head-start of at least a couple of days (that's how I understood your
question in [2]). Maybe a "second-class citizen" list could complement
the linux-distros list with notifications slightly earlier than on
oss-security.

[1] https://qlustar.com/news/qsa-0131141-linux-kernel-vulnerabilities
[2] http://www.openwall.com/lists/oss-security/2014/01/22/1

Roland

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.