Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 8 Jun 2014 00:16:17 +0200 (CEST)
From: Thomas Gleixner <tglx@...utronix.de>
To: rf@...eap.de
cc: oss-security@...ts.openwall.com
Subject: Re: Linux kernel futex local privilege escalation
 (CVE-2014-3153)

On Fri, 6 Jun 2014, rf@...eap.de wrote:
> >>>>> "Thomas" == Thomas Gleixner <tglx@...utronix.de> writes:
> 
> Hi Thomas,
> 
>     >> On Thu, Jun 05, 2014 at 11:38:27PM -0400, Rich Felker wrote:
>     >> > On Thu, Jun 05, 2014 at 06:45:45PM +0400, Solar Designer wrote:
>     >> > > I've attached patches by Thomas Gleixner (four e-mails, in
>     >> > > mbox format), as well as back-ports of those by John Johansen
>     >> > > of Canonical, who wrote:
>     >> >
>     >> > Maybe I'm missing something, but I can't find any statement of
>     >> > what version these patches are intended to apply cleanly
>     >> > to. They don't apply to latest stable.
>     >>
>     >> Thomas - can you answer Rich's question?  This is about patches
>     >> you sent on June 3 to linux-distros, which Kees then saved into
>     >> an mbox file.
> 
>     Thomas> They should apply cleanly, if all stable tagged futex
>     Thomas> patches before that are applied.
> 
> could you please clarify whether
> 
> f0d71b3dcb8332f7971b5f2363632573e6d9486a futex: Prevent attaching to kernel threads
> 866293ee54227584ffcb4a42f69c1f365974ba7f futex: Add another early deadlock detection check
> 
> absolutely have to be applied as well for the CVE's to be fixed and
> functionality being OK otherwise? I need to backport to 3.12.x. The patches
> for 3.13 sent by Alexander applied cleanly to latest 3.12.

I really recommend f0d71b3dcb8332f7971b5f2363632573e6d9486a.

866293ee54227584ffcb4a42f69c1f365974ba7f is made obsolete by the 4
real fixes, but applying it first gets rid of the rejects.

Thanks,

	tglx

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ