Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 09:35:33 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel CVEs not mentioned on oss-security

Hi Greg,

On Wed, Sep 27, 2017 at 03:04:24PM +0200, Greg KH wrote:
> On Wed, Sep 27, 2017 at 02:51:49PM +0200, Solar Designer wrote:
> > Besides, Greg focuses on the problem that some ignore the stable kernels
> > or the "curated and tested stream of fixes" that could be seen in there,
> > whereas another concern mentioned earlier in the thread is that the
> > stream is also incomplete because some security fixes are not marked as
> > such and not CC'ed to stable.  So that's two problems mentioned in the
> > thread, but vendor-sec was not / linux-distros is not related to either.
> 
> For that second issue, I've not ever really run into any "known security
> fix" not being cc:ed to stable.  Do you have any known examples where I
> can go poke the maintainers to do better?
> 
> We have plenty of the normal "bugfix was merged that a few years later
> turned out to be a 'security' issue, but no one realized it at the time"
> changes that get merged.  And to help combat that, we are doing more and
> more "smart mining"[1] of the kernel commits to try to catch patches
> that match those types of fixes and get them merged into the stable
> kernels.
> 
> You can see the initial results of this work with the huge increase in
> patches being merged to the 4.9 and 4.4 stable kernels vs. any older
> stable kernel trees in the past.

This is defintively not "exhaustive", and not exactly what you are
pointing out. I thought it might be still of help, so I quickly looked
what we know in our kernel-sec repository tracking as well fixed which
are "needed" yet in 4.9:

CVE-2017-0605:
--------------
https://security-tracker.debian.org/tracker/CVE-2017-0605
upstream: (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21]

is e.g. includedin 3.16.44 (a1141b19b23a0605d46f3fab63fd2d76207096c4),
3.2.89 (e39e64193a8a611d11d4c62579a7246c1af70d1c) but not in 4.9.

(afaics not Cc'ed to stable).

CVE-2017-12154:
---------------
https://security-tracker.debian.org/tracker/CVE-2017-12154
from https://marc.info/?l=oss-security&m=150640182829622&w=2

upstream: released (4.14-rc1) [51aa68e7d57e3217192d88ce90fd5b8ef29ec94f]

AFAICS, not Cc'ed to stable.

CVE-2017-14156:
---------------
https://security-tracker.debian.org/tracker/CVE-2017-14156
upstream: released (4.14-rc1) [8e75f7a7a00461ef6d91797a60b606367f6e344d]

CVE-2017-1000252:
-----------------
https://security-tracker.debian.org/tracker/CVE-2017-1000252
The reaon that there is no Cc to stable might have been actually a
safety guard to not sent out the commit to a public list, but not
sure.

upstream: released (4.14-rc1) [3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb]

Hope this might be of help.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ