In this issue of "we have no clue what we're doing," we have:
"Format string bug. Not exploitable, as this is only writable by root,
but worth fixing all the same."
Sorry, but when protections such as SELinux are implemented in the kernel which are meant to
make uid == 0 not mean a full compromise of a system, the ability to completely subvert the
kernel and thus all of these protections does in fact make this a security issue.
"double-free of inode on alloc_file() failure exit in create_write_pipe()"
Is at minimum a local DoS. Max out your file descriptors and create a pipe, refcnts on the
file will be wrong and free_pipe_info will get called on a possibly trashed inode. In fact,
the bugzilla entry referenced by the commit calls it a DoS and provides code to cause the DoS:
Yet again no CVE and no mention of security despite the committer's obvious knowledge of the
implications of the bug.
Meanwhile we have:
waiting to be fixed in -stable, which is trivially exploitable.
We also have vendorsec sitting on a patch from Serge Hallyn fixing the vulnerability in TPM i
alluded to in my previous posting. One week on a one-line fix which has yet to make it
upstream (which Serge requested be fixed ASAP).
I'm sure there's more fun to be found in these "bugfixes" but I only looked for a few minutes.