oss-sec mailing list archives
Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038)
From: rf () q-leap de
Date: Fri, 31 Jan 2014 19:18:33 +0100
"SD" == Solar Designer <solar () openwall com> writes:
SD> On Fri, Jan 31, 2014 at 04:11:16AM +0400, Solar Designer wrote: >> [...] I guess the newer patch (from the second forwarded message >> above) is preferable (the one I expect to see committed soon). SD> Here's the commit: SD> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/compat.c?id=2def2ef2ae5f3990aabdbe8a755911902707d268 >> It appears, from the linux-distros discussion, that a couple of >> distros are going to release emergency security updates for this. >> If they did not express interest in an extra day of embargo, the >> issue would likely be made public on the first day (not on the >> second). SD> Ubuntu advisories and updates: SD> http://www.ubuntu.com/usn/usn-2096-1/ SD> http://www.ubuntu.com/usn/usn-2095-1/ SD> http://www.ubuntu.com/usn/usn-2094-1/ SD> Even though the issue was easy to patch, I nevertheless find SD> this impressively quick for a major distro like Ubuntu, and this SD> probably justifies the extra day of embargo. Yup, was good for us too, so we could double-check that the proposed fix from your mail is working OK for others as well, since it hasn't arrived in the kernel.org stable-queue git yet. By the way, Ubuntu used the longer original patch, which we used [1] in the end as well (saw too late that Linus already committed the shorter one). Coming back to our earlier discussion about linux-distros membership [2]: It definitely helped being on the list. Since the patch was trivial, we didn't suffer a significant time delay compared to other distros. In case of more complicated patches, this could have gotten tough though given the fact that the new builds need a significant amount of testing as well. It would be nice, if we (and others in a similar boat) could get a head-start of at least a couple of days (that's how I understood your question in [2]). Maybe a "second-class citizen" list could complement the linux-distros list with notifications slightly earlier than on oss-security. [1] https://qlustar.com/news/qsa-0131141-linux-kernel-vulnerabilities [2] http://www.openwall.com/lists/oss-security/2014/01/22/1 Roland
Current thread:
- Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 30)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Kees Cook (Jan 30)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Kurt Seifried (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) rf (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) PaX Team (Jan 31)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Yves-Alexis Perez (Feb 01)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 02)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) Solar Designer (Feb 02)
- Re: Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) mancha (Feb 02)