Re: Linux kernel CVEs not mentioned on oss-security

[Greg KH <greg () kroah com>]

On Thu, Sep 28, 2017 at 09:35:33AM +0200, Salvatore Bonaccorso wrote:
> Hi Greg,
>
> On Wed, Sep 27, 2017 at 03:04:24PM +0200, Greg KH wrote:
> > On Wed, Sep 27, 2017 at 02:51:49PM +0200, Solar Designer wrote:
> > > Besides, Greg focuses on the problem that some ignore the stable kernels
> > > or the "curated and tested stream of fixes" that could be seen in there,
> > > whereas another concern mentioned earlier in the thread is that the
> > > stream is also incomplete because some security fixes are not marked as
> > > such and not CC'ed to stable.  So that's two problems mentioned in the
> > > thread, but vendor-sec was not / linux-distros is not related to either.
> >
> > For that second issue, I've not ever really run into any "known security
> > fix" not being cc:ed to stable.  Do you have any known examples where I
> > can go poke the maintainers to do better?
> >
> > We have plenty of the normal "bugfix was merged that a few years later
> > turned out to be a 'security' issue, but no one realized it at the time"
> > changes that get merged.  And to help combat that, we are doing more and
> > more "smart mining"[1] of the kernel commits to try to catch patches
> > that match those types of fixes and get them merged into the stable
> > kernels.
> >
> > You can see the initial results of this work with the huge increase in
> > patches being merged to the 4.9 and 4.4 stable kernels vs. any older
> > stable kernel trees in the past.
>
> This is defintively not "exhaustive", and not exactly what you are
> pointing out. I thought it might be still of help, so I quickly looked
> what we know in our kernel-sec repository tracking as well fixed which
> are "needed" yet in 4.9:
>
> CVE-2017-0605:
> --------------
> https://security-tracker.debian.org/tracker/CVE-2017-0605
> upstream: (4.12-rc1) [e09e28671cda63e6308b31798b997639120e2a21]
>
> is e.g. includedin 3.16.44 (a1141b19b23a0605d46f3fab63fd2d76207096c4),
> 3.2.89 (e39e64193a8a611d11d4c62579a7246c1af70d1c) but not in 4.9.
>
> (afaics not Cc'ed to stable).

Ouch, thanks for letting me know, that's not good, we don't want to get
the trees out of sync for obvious reasons.

> CVE-2017-12154:
> ---------------
> https://security-tracker.debian.org/tracker/CVE-2017-12154
> from https://marc.info/?l=oss-security&m=150640182829622&w=2
>
> upstream: released (4.14-rc1) [51aa68e7d57e3217192d88ce90fd5b8ef29ec94f]
>
> AFAICS, not Cc'ed to stable.
>
> CVE-2017-14156:
> ---------------
> https://security-tracker.debian.org/tracker/CVE-2017-14156
> upstream: released (4.14-rc1) [8e75f7a7a00461ef6d91797a60b606367f6e344d]
>
> CVE-2017-1000252:
> -----------------
> https://security-tracker.debian.org/tracker/CVE-2017-1000252
> The reaon that there is no Cc to stable might have been actually a
> safety guard to not sent out the commit to a public list, but not
> sure.
>
> upstream: released (4.14-rc1) [3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb]
>
> Hope this might be of help.

Yes, many thanks, I'll add these to the list of things to queue up soon.

thanks again,

greg k-h