Debian GNU/Linux 4.0 updated [LWN.net]

Debian GNU/Linux 4.0 updated

Posted Feb 18, 2008 17:38 UTC (Mon) by aba (subscriber, #24118)
Parent article: Debian GNU/Linux 4.0 updated

The comment "Note that the update for the recent kernel local root privilege escalation
problem did not make into this release." doesn't seem correct to me. The changelog of
linux-2.6 reads:
linux-2.6 (2.6.18.dfsg.1-18etch1) stable-security; urgency=high

  * bugfix/vmsplice-security.patch
    [SECURITY] Fix missing access check in vmsplice.
    See CVE-2008-0010, CVE-2008-0600
  * bugfix/all/vserver/proc-link-security.patch
    [SECURITY][vserver] Fix access checks for the links in /proc/$pid.

 -- Bastian Blank <waldi@debian.org>  Sun, 10 Feb 2008 18:37:05 +0100

Andi

(Log in to post comments)

Debian GNU/Linux 4.0 updated

Posted Feb 18, 2008 17:49 UTC (Mon) by ris (editor, #5) [Link]

The point is not that the kernel update doesn't exist, but that it is not included in the r3
release.  If you install 4.0r3 you will have to grab that kernel update afterwards.

Debian GNU/Linux 4.0 updated

Posted Feb 18, 2008 20:26 UTC (Mon) by aba (subscriber, #24118) [Link]

aba@ries:~$ dak ls linux-2.6 -s stable
 linux-2.6 | 2.6.18.dfsg.1-18etch1 |        stable | source

That sounds to me as if the version 2.6.18.dfsg.1-18etch1 of linux-2.6 is in etch, and I
pasted the most recent line of the changelog of that version. (Actually, I extracted the
changelog by vi pool/main/l/linux-2.6/linux-2.6_2.6.18.dfsg.1-18etch1.diff.gz with taking the
version number from dak ls).

I currently cannot see why the fixed version of linux-2.6 shouldn't be in Etch r3 - unless an
accident happend while creating the Packages-files. By looking at e.g.
zcat dists/etch/main/binary-i386/Packages.gz | grep-dctrl -P ^linux-image-2.6.18-6-686$ -r -s
Version
Version: 2.6.18.dfsg.1-18etch1
it seems to me version numbers in the database and the Packages-file match (which they always
should of course).

So, can you please tell me where I'm wrong?


Andi

Debian GNU/Linux 4.0 updated

Posted Feb 18, 2008 23:06 UTC (Mon) by jake (editor, #205) [Link]

> So, can you please tell me where I'm wrong?

You may be right, I am not sure.  I put that comment in after looking over the list of DSAs
(Debian Security Announcements) that were fixed in this release.  DSA-1494 is the one that
fixes the bug in question and is not listed.  I, perhaps wrongly, believed that if a DSA was
addressed, it would be listed.

jake

Debian GNU/Linux 4.0 updated

Posted Feb 19, 2008 7:25 UTC (Tue) by aba (subscriber, #24118) [Link]

I agree, it should be listed in the list of DSAs. I'll check why the DSA is not in the list of
DSAs, but the fixed kernel is there definitly.

Debian GNU/Linux 4.0 updated

Posted Feb 19, 2008 18:36 UTC (Tue) by jake (editor, #205) [Link]

> but the fixed kernel is there definitly.

I am afraid it is not.  I installed 4.0r3 and built the exploit and it worked fine.  uname
tells me the following: 

Linux debian 2.6.18-6-686

The new kernel is _available_ of course, but not distributed as part of 4.0r3.

jake

Debian GNU/Linux 4.0 updated

Posted Feb 21, 2008 12:54 UTC (Thu) by mbanck (subscriber, #9035) [Link]

> The new kernel is _available_ of course, but not distributed as part of 4.0r3.

According to the person who mastered the CDs, the new kernel package should be on the CDs.

When/how did you install 4.0r3?  Which CD version (businesscard,netinst,full,dvd)?

What does "dpkg -l linux-image-2.6.18-6-686 | tail -1" return as version, in case you still
have that installation available.

Somebody should check the security advisory as well I guess.


Thanks,

Michael

Debian GNU/Linux 4.0 updated

Posted Feb 21, 2008 14:28 UTC (Thu) by jake (editor, #205) [Link]

> According to the person who mastered the CDs, the new kernel package should be on the CDs.

And it appears that it is.  I re-ran my tests (with much less cockpit error) and the exploit
does not work.

So, all that remains is why the DSA didn't get listed ...

jake