Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <21227.59641.784184.419064@gargle.gargle.HOWL>
Date: Fri, 31 Jan 2014 19:18:33 +0100
From: rf@...eap.de
To: oss-security@...ts.openwall.com
Subject: Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32
	(CVE-2014-0038)

>>>>> "SD" == Solar Designer <solar@...nwall.com> writes:

    SD> On Fri, Jan 31, 2014 at 04:11:16AM +0400, Solar Designer wrote:
    >> [...] I guess the newer patch (from the second forwarded message
    >> above) is preferable (the one I expect to see committed soon).

    SD> Here's the commit:

    SD> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/compat.c?id=2def2ef2ae5f3990aabdbe8a755911902707d268

    >> It appears, from the linux-distros discussion, that a couple of
    >> distros are going to release emergency security updates for this.
    >> If they did not express interest in an extra day of embargo, the
    >> issue would likely be made public on the first day (not on the
    >> second).

    SD> Ubuntu advisories and updates:

    SD> http://www.ubuntu.com/usn/usn-2096-1/
    SD> http://www.ubuntu.com/usn/usn-2095-1/
    SD> http://www.ubuntu.com/usn/usn-2094-1/

    SD> Even though the issue was easy to patch, I nevertheless find
    SD> this impressively quick for a major distro like Ubuntu, and this
    SD> probably justifies the extra day of embargo.

Yup, was good for us too, so we could double-check that the proposed fix
from your mail is working OK for others as well, since it hasn't arrived in
the kernel.org stable-queue git yet. By the way, Ubuntu used the longer
original patch, which we used [1] in the end as well (saw too late that Linus
already committed the shorter one).

Coming back to our earlier discussion about linux-distros membership [2]:
It definitely helped being on the list. Since the patch was trivial,
we didn't suffer a significant time delay compared to other distros. In
case of more complicated patches, this could have gotten tough though
given the fact that the new builds need a significant amount of testing as
well.

It would be nice, if we (and others in a similar boat) could get a
head-start of at least a couple of days (that's how I understood your
question in [2]). Maybe a "second-class citizen" list could complement
the linux-distros list with notifications slightly earlier than on
oss-security.

[1] https://qlustar.com/news/qsa-0131141-linux-kernel-vulnerabilities
[2] http://www.openwall.com/lists/oss-security/2014/01/22/1

Roland

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.