Merge ~kees/ubuntu-cve-tracker:linux-cves into ubuntu-cve-tracker:master
- Git
- lp:~kees/ubuntu-cve-tracker
- linux-cves
- Merge into master
Status: | Merged |
---|---|
Merged at revision: | 449c32e2fd6a9cfe5179e5be0a8e9d5cc9fe7792 |
Proposed branch: | ~kees/ubuntu-cve-tracker:linux-cves |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
243 lines (+22/-23) 18 files modified
active/CVE-2021-27365 (+2/-2) active/CVE-2021-29154 (+1/-1) retired/CVE-2011-4594 (+0/-1) retired/CVE-2014-3610 (+1/-1) retired/CVE-2014-3611 (+1/-1) retired/CVE-2014-3645 (+1/-1) retired/CVE-2014-3646 (+1/-1) retired/CVE-2014-3647 (+2/-2) retired/CVE-2014-4943 (+1/-1) retired/CVE-2014-7826 (+1/-1) retired/CVE-2014-8134 (+1/-1) retired/CVE-2015-0239 (+1/-1) retired/CVE-2015-5307 (+1/-1) retired/CVE-2016-1575 (+2/-2) retired/CVE-2016-1576 (+2/-2) retired/CVE-2017-7184 (+2/-2) retired/CVE-2019-14895 (+1/-1) retired/CVE-2019-14901 (+1/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Review via email:
|
Commit message
Cleaning up some kernel break/fix entries from the distant past and very recent.
Description of the change
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Thadeu Lima de Souza Cascardo (cascardo) wrote : | # |
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Steve Beattie (sbeattie) wrote : | # |
Hey Kees,
Cascardo has already commented on the CVEs in the active directory. Most
of the retired CVE changes look fine, the only two that are a problem
are:
> --- a/retired/
> +++ b/retired/
> @@ -39,8 +39,8 @@ CVSS:
> nvd: CVSS:3.
>
> Patches_linux:
> - break-fix: - 1175b6b8d963316
> - break-fix: - local-2016-1575-2
> + break-fix: e9be9d5e76e3487
> + break-fix: local-2016-
> upstream_linux: needed
> precise_linux: ignored (reached end-of-life)
> precise/esm_linux: not-affected (no user-namespace mounts)
> diff --git a/retired/
> index a87ae91..0e7bed8 100644
> --- a/retired/
> +++ b/retired/
> @@ -40,8 +40,8 @@ CVSS:
> nvd: CVSS:3.
>
> Patches_linux:
> - break-fix: - local-2016-1576-1
> - break-fix: - local-2016-1576-2
> + break-fix: e9be9d5e76e3487
> + break-fix: local-2016-
> upstream_linux: needed
> Priority_
> Priority_
> diff --git a/retired/
> index 167f349..7dff1d9 100644
Neither added breaks entries, local-2016-
local-2016-
*think* all commits here should have an alternation
between e9be9d5e76e3487
locally defined identifier for the git commit that pulled
back overlayfs into trusty's kernel, which I believe is
https:/
I'll try and fix it up tomorrow.
Thanks for trying to get the records straight!
--
Steve Beattie
<email address hidden>
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Kees Cook (kees) wrote : | # |
> On Tue, Sep 14, 2021 at 04:15:47PM -0000, Kees Cook wrote:
> > Kees Cook has proposed merging ~kees/ubuntu-
>
> Hi, Kees.
>
> Thanks a lot for your work on this. Here is my take on some of these.
Hi! Thanks for the review. :)
> > diff --git a/active/
> > index dd06602..1e7aef6 100644
> > --- a/active/
> > +++ b/active/
> > @@ -33,8 +33,8 @@ CVSS:
> > nvd: CVSS:3.
> >
> > Patches_linux:
> > - break-fix: - f9dbdf97a5bd92b
> > - break-fix: - ec98ea7070e94cc
> > + break-fix: 23d6fefbb3f6b1c
> f9dbdf97a5bd92b
>
> This doesn't make sense. 23d6fefbb3f6 ("scsi: iscsi: Fix in-kernel conn
> failure handling") comes after f9dbdf97a5bd ("scsi: iscsi: Verify lengths
> on passthrough PDUs"). This looks more like 0896b7523026 ("[SCSI]
> open-iscsi/
> from 2005.
Whoops! Yes, this is a mispaste it seems. I agree, 0896b7523026 is best here.
>
> > + break-fix: a54a52caad4bd61
> ec98ea7070e94cc
>
> a54a52caad4b ("[SCSI] iscsi: fixup set/get param functions") is so old that
> I wouldn't bother adding it. We only support trusty and newer anyway.
> However, we do add 1da177 as a break commit sometimes. I think the most use
> of it is stating "the break commit is known". Because anything earlier than
> v3.13 will give us the same triage results.
I regularly do historical CVE flaw lifetime analysis (see the lifetime graph, slide 5, at https:/
> > diff --git a/active/
> > index ee3abb3..2559949 100644
> > --- a/active/
> > +++ b/active/
> > @@ -29,7 +29,7 @@ CVSS:
> > nvd: CVSS:3.
> >
> > Patches_linux:
> > - break-fix: - e4d4d456436bfb2
> > + break-fix: 0a14842f5a3c0e8
> e4d4d456436bfb2
>
> OK, this is the commit that introduces BPF JIT. Finding a break commit here
> would help us determine whether trusty is vulnerable. We know this can be
> exploited with eBPF, but no idea if cBPF could be used here. And, then,
> would the initial JIT implementation be vulnerable, or would it require
> some later commit? I still would rather leave the break commit as "-",
> stating that we still need to investigate this.
This is correct, though. It was specifically the x86_64 JIT that was broken (and that's what the fix fixes). This correctly maps to the next line, which is for i386:
> break-fix: 03f5781be2c7b7e
See the note at the end of e4d4d456436bfb2
Regardless, as "-" effectively means "beginning of GIT history", the in...
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Kees Cook (kees) wrote : | # |
> Hey Kees,
>
> Cascardo has already commented on the CVEs in the active directory. Most
> of the retired CVE changes look fine, the only two that are a problem
> are:
>
> > --- a/retired/
> > +++ b/retired/
> > @@ -39,8 +39,8 @@ CVSS:
> > nvd: CVSS:3.
> >
> > Patches_linux:
> > - break-fix: - 1175b6b8d963316
> > - break-fix: - local-2016-1575-2
> > + break-fix: e9be9d5e76e3487
> 1175b6b8d963316
> > + break-fix: local-2016-
> > upstream_linux: needed
> > precise_linux: ignored (reached end-of-life)
> > precise/esm_linux: not-affected (no user-namespace mounts)
> > diff --git a/retired/
> > index a87ae91..0e7bed8 100644
> > --- a/retired/
> > +++ b/retired/
> > @@ -40,8 +40,8 @@ CVSS:
> > nvd: CVSS:3.
> >
> > Patches_linux:
> > - break-fix: - local-2016-1576-1
> > - break-fix: - local-2016-1576-2
> > + break-fix: e9be9d5e76e3487
> local-2016-
> > + break-fix: local-2016-
> > upstream_linux: needed
> > Priority_
> > Priority_
> > diff --git a/retired/
> > index 167f349..7dff1d9 100644
>
> Neither added breaks entries, local-2016-
> local-2016-
> *think* all commits here should have an alternation
> between e9be9d5e76e3487
> locally defined identifier for the git commit that pulled
> back overlayfs into trusty's kernel, which I believe is
> https:/
> it/?id=
>
> I'll try and fix it up tomorrow.
>
> Thanks for trying to get the records straight!
Ah-ha! Thanks for the reference -- I wasn't sure where the "local-*" stuff lived, and I wasn't sure it wasn't just a magic value. :) Thanks for finding the backport sha -- that's seems a much better reference. Let me fix that now...
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Kees Cook (kees) wrote : | # |
Ok, a393fe5f1d52 updated with both review comment threads. Thanks!
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Steve Beattie (sbeattie) wrote : | # |
Thanks, I touched up the breaks entries and merged your fixes in https:/
Preview Diff
1 | diff --git a/active/CVE-2021-27365 b/active/CVE-2021-27365 |
2 | index b1adc58..3b30b1c 100644 |
3 | --- a/active/CVE-2021-27365 |
4 | +++ b/active/CVE-2021-27365 |
5 | @@ -33,8 +33,8 @@ CVSS: |
6 | nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
7 | |
8 | Patches_linux: |
9 | - break-fix: - f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5 |
10 | - break-fix: - ec98ea7070e94cc25a422ec97d1421e28d97b7ee |
11 | + break-fix: 0896b752302662909b52895bd7f601136001069d f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5 |
12 | + break-fix: a54a52caad4bd6166cb7fa64e4e93031fa2fda5d ec98ea7070e94cc25a422ec97d1421e28d97b7ee |
13 | upstream_linux: released (5.12~rc2) |
14 | precise/esm_linux: ignored (was needs-triage ESM criteria) |
15 | trusty_linux: ignored (out of standard support) |
16 | diff --git a/active/CVE-2021-29154 b/active/CVE-2021-29154 |
17 | index 7c5910c..45156b9 100644 |
18 | --- a/active/CVE-2021-29154 |
19 | +++ b/active/CVE-2021-29154 |
20 | @@ -29,7 +29,7 @@ CVSS: |
21 | nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
22 | |
23 | Patches_linux: |
24 | - break-fix: - e4d4d456436bfb2fe412ee2cd489f7658449b098 |
25 | + break-fix: 0a14842f5a3c0e88a1e59fac5c3025db39721f74 e4d4d456436bfb2fe412ee2cd489f7658449b098 |
26 | break-fix: 03f5781be2c7b7e728d724ac70ba10799cc710d7 26f55a59dc65ff77cd1c4b37991e26497fc68049 |
27 | upstream_linux: released (5.12~rc7) |
28 | precise/esm_linux: ignored (end of ESM support, was needs-triage) |
29 | diff --git a/retired/CVE-2011-4594 b/retired/CVE-2011-4594 |
30 | index b889018..cdbb29c 100644 |
31 | --- a/retired/CVE-2011-4594 |
32 | +++ b/retired/CVE-2011-4594 |
33 | @@ -26,7 +26,6 @@ CVSS: |
34 | |
35 | Patches_linux: |
36 | break-fix: c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a bc909d9ddbf7778371e36a651d6e4194b1cc7d4c |
37 | - break-fix: 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 bc909d9ddbf7778371e36a651d6e4194b1cc7d4c |
38 | upstream_linux: released (3.1~rc5) |
39 | hardy_linux: not-affected |
40 | lucid_linux: not-affected |
41 | diff --git a/retired/CVE-2014-3610 b/retired/CVE-2014-3610 |
42 | index 52e1c0c..e3902fd 100644 |
43 | --- a/retired/CVE-2014-3610 |
44 | +++ b/retired/CVE-2014-3610 |
45 | @@ -56,7 +56,7 @@ CVSS: |
46 | nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
47 | |
48 | Patches_linux: |
49 | - break-fix: - 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 |
50 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 854e8bb1aa06c578c2c9145fa6bfe3680ef63b23 |
51 | upstream_linux: released (3.18~rc2) |
52 | lucid_linux: released (2.6.32-71.138) |
53 | precise_linux: released (3.2.0-72.107) |
54 | diff --git a/retired/CVE-2014-3611 b/retired/CVE-2014-3611 |
55 | index 9593266..a0baa66 100644 |
56 | --- a/retired/CVE-2014-3611 |
57 | +++ b/retired/CVE-2014-3611 |
58 | @@ -49,7 +49,7 @@ CVSS: |
59 | nvd: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
60 | |
61 | Patches_linux: |
62 | - break-fix: - 2febc839133280d5a5e8e1179c94ea674489dae2 |
63 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 2febc839133280d5a5e8e1179c94ea674489dae2 |
64 | upstream_linux: released (3.18~rc2) |
65 | lucid_linux: released (2.6.32-71.138) |
66 | precise_linux: released (3.2.0-72.107) |
67 | diff --git a/retired/CVE-2014-3645 b/retired/CVE-2014-3645 |
68 | index 9a8e0cc..196feb6 100644 |
69 | --- a/retired/CVE-2014-3645 |
70 | +++ b/retired/CVE-2014-3645 |
71 | @@ -30,7 +30,7 @@ Assigned-to: |
72 | CVSS: |
73 | |
74 | Patches_linux: |
75 | - break-fix: - bfd0a56b90005f8c8a004baf407ad90045c2b11e |
76 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 bfd0a56b90005f8c8a004baf407ad90045c2b11e |
77 | upstream_linux: released (3.12~rc1) |
78 | lucid_linux: ignored (reached end-of-life) |
79 | precise_linux: released (3.2.0-72.107) |
80 | diff --git a/retired/CVE-2014-3646 b/retired/CVE-2014-3646 |
81 | index 18417af..a616847 100644 |
82 | --- a/retired/CVE-2014-3646 |
83 | +++ b/retired/CVE-2014-3646 |
84 | @@ -47,7 +47,7 @@ CVSS: |
85 | nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
86 | |
87 | Patches_linux: |
88 | - break-fix: - a642fc305053cc1c6e47e4f4df327895747ab485 |
89 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 a642fc305053cc1c6e47e4f4df327895747ab485 |
90 | upstream_linux: released (3.18~rc2) |
91 | lucid_linux: ignored (reached end-of-life) |
92 | precise_linux: released (3.2.0-72.107) |
93 | diff --git a/retired/CVE-2014-3647 b/retired/CVE-2014-3647 |
94 | index 607f12a..f6aa58c 100644 |
95 | --- a/retired/CVE-2014-3647 |
96 | +++ b/retired/CVE-2014-3647 |
97 | @@ -46,8 +46,8 @@ CVSS: |
98 | nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
99 | |
100 | Patches_linux: |
101 | - break-fix: - 234f3ce485d54017f15cf5e0699cff4100121601 |
102 | - break-fix: - d1442d85cc30ea75f7d399474ca738e0bc96f715 |
103 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 234f3ce485d54017f15cf5e0699cff4100121601 |
104 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 d1442d85cc30ea75f7d399474ca738e0bc96f715 |
105 | upstream_linux: released (3.18~rc2) |
106 | lucid_linux: ignored (reached end-of-life) |
107 | precise_linux: released (3.2.0-72.107) |
108 | diff --git a/retired/CVE-2014-4943 b/retired/CVE-2014-4943 |
109 | index c028d2e..841d099 100644 |
110 | --- a/retired/CVE-2014-4943 |
111 | +++ b/retired/CVE-2014-4943 |
112 | @@ -34,7 +34,7 @@ Assigned-to: |
113 | CVSS: |
114 | |
115 | Patches_linux: |
116 | - break-fix: - 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf |
117 | + break-fix: 3557baabf28088f49bdf72a048fd33ab62e205b1 3cf521f7dc87c031617fd47e4b7aa2593c2f3daf |
118 | upstream_linux: released (3.16~rc6) |
119 | lucid_linux: released (2.6.32-64.128) |
120 | precise_linux: released (3.2.0-67.101) |
121 | diff --git a/retired/CVE-2014-7826 b/retired/CVE-2014-7826 |
122 | index cb088e3..d5d53e5 100644 |
123 | --- a/retired/CVE-2014-7826 |
124 | +++ b/retired/CVE-2014-7826 |
125 | @@ -34,7 +34,7 @@ CVSS: |
126 | nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
127 | |
128 | Patches_linux: |
129 | - break-fix: - 086ba77a6db00ed858ff07451bedee197df868c9 |
130 | + break-fix: bed1ffca022cc876fb83161d26670e9b5d3cf36b 086ba77a6db00ed858ff07451bedee197df868c9 |
131 | upstream_linux: released (3.18~rc3) |
132 | lucid_linux: not-affected (depends on CONFIG_FTRACE_SYSCALLS) |
133 | precise_linux: released (3.2.0-73.108) |
134 | diff --git a/retired/CVE-2014-8134 b/retired/CVE-2014-8134 |
135 | index f5c21f1..faf3faa 100644 |
136 | --- a/retired/CVE-2014-8134 |
137 | +++ b/retired/CVE-2014-8134 |
138 | @@ -37,7 +37,7 @@ CVSS: |
139 | nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
140 | |
141 | Patches_linux: |
142 | - break-fix: - 29fa6825463c97e5157284db80107d1bfac5d77b |
143 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 29fa6825463c97e5157284db80107d1bfac5d77b |
144 | upstream_linux: released (3.19~rc1) |
145 | lucid_linux: released (2.6.32-70.137) |
146 | precise_linux: released (3.2.0-74.109) |
147 | diff --git a/retired/CVE-2015-0239 b/retired/CVE-2015-0239 |
148 | index 0cd0947..0170d39 100644 |
149 | --- a/retired/CVE-2015-0239 |
150 | +++ b/retired/CVE-2015-0239 |
151 | @@ -34,7 +34,7 @@ Assigned-to: |
152 | CVSS: |
153 | |
154 | Patches_linux: |
155 | - break-fix: - f3747379accba8e95d70cec0eae0582c8c182050 |
156 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 f3747379accba8e95d70cec0eae0582c8c182050 |
157 | upstream_linux: released (3.19~rc6) |
158 | lucid_linux: ignored (reached end-of-life) |
159 | precise_linux: released (3.2.0-77.112) |
160 | diff --git a/retired/CVE-2015-5307 b/retired/CVE-2015-5307 |
161 | index a1ff897..c307ccd 100644 |
162 | --- a/retired/CVE-2015-5307 |
163 | +++ b/retired/CVE-2015-5307 |
164 | @@ -39,7 +39,7 @@ Assigned-to: |
165 | CVSS: |
166 | |
167 | Patches_linux: |
168 | - break-fix: - 54a20552e1eae07aa240fa370a0293e006b5faed |
169 | + break-fix: 6aa8b732ca01c3d7a54e93f4d701b8aabbe60fb7 54a20552e1eae07aa240fa370a0293e006b5faed |
170 | upstream_linux: released (4.4~rc1) |
171 | precise_linux: released (3.2.0-94.134) |
172 | precise/esm_linux: released (3.2.0-94.134) |
173 | diff --git a/retired/CVE-2016-1575 b/retired/CVE-2016-1575 |
174 | index ea35449..e5e0219 100644 |
175 | --- a/retired/CVE-2016-1575 |
176 | +++ b/retired/CVE-2016-1575 |
177 | @@ -39,8 +39,8 @@ CVSS: |
178 | nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
179 | |
180 | Patches_linux: |
181 | - break-fix: - 1175b6b8d96331676f1d436b089b965807f23b4a |
182 | - break-fix: - local-2016-1575-2 |
183 | + break-fix: 4d83812e9f64ea7a5be1d8c220e9534684ad74bd|e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c 1175b6b8d96331676f1d436b089b965807f23b4a |
184 | + break-fix: 4d83812e9f64ea7a5be1d8c220e9534684ad74bd local-2016-1575-2 |
185 | upstream_linux: needed |
186 | precise_linux: ignored (reached end-of-life) |
187 | precise/esm_linux: not-affected (no user-namespace mounts) |
188 | diff --git a/retired/CVE-2016-1576 b/retired/CVE-2016-1576 |
189 | index a87ae91..612a4f7 100644 |
190 | --- a/retired/CVE-2016-1576 |
191 | +++ b/retired/CVE-2016-1576 |
192 | @@ -40,8 +40,8 @@ CVSS: |
193 | nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
194 | |
195 | Patches_linux: |
196 | - break-fix: - local-2016-1576-1 |
197 | - break-fix: - local-2016-1576-2 |
198 | + break-fix: 4d83812e9f64ea7a5be1d8c220e9534684ad74bd|e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c local-2016-1576-1|e9f57ebcba563e0cd532926cab83c92bb4d79360 |
199 | + break-fix: 4d83812e9f64ea7a5be1d8c220e9534684ad74bd local-2016-1576-2 |
200 | upstream_linux: needed |
201 | Priority_linux_precise: low |
202 | Priority_linux_precise/esm: low |
203 | diff --git a/retired/CVE-2017-7184 b/retired/CVE-2017-7184 |
204 | index 167f349..7dff1d9 100644 |
205 | --- a/retired/CVE-2017-7184 |
206 | +++ b/retired/CVE-2017-7184 |
207 | @@ -42,8 +42,8 @@ CVSS: |
208 | nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
209 | |
210 | Patches_linux: |
211 | - break-fix: - 677e806da4d916052585301785d847c3b3e6186a |
212 | - break-fix: - f843ee6dd019bcece3e74e76ad9df0155655d0df |
213 | + break-fix: d51d081d65048a7a6f9956a7809c3bb504f3b95d 677e806da4d916052585301785d847c3b3e6186a |
214 | + break-fix: d51d081d65048a7a6f9956a7809c3bb504f3b95d f843ee6dd019bcece3e74e76ad9df0155655d0df |
215 | upstream_linux: released (4.11~rc5) |
216 | precise_linux: released (3.2.0-125.168) |
217 | precise/esm_linux: released (3.2.0-125.168) |
218 | diff --git a/retired/CVE-2019-14895 b/retired/CVE-2019-14895 |
219 | index 7cc738a..9a32611 100644 |
220 | --- a/retired/CVE-2019-14895 |
221 | +++ b/retired/CVE-2019-14895 |
222 | @@ -34,7 +34,7 @@ CVSS: |
223 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
224 | |
225 | Patches_linux: |
226 | - break-fix: - local-2019-14895-fix |
227 | + break-fix: - local-2019-14895-fix|3d94a4a8373bf5f45cf5f939e88b8354dbf2311b |
228 | upstream_linux: needed |
229 | precise/esm_linux: ignored (was needs-triage ESM criteria) |
230 | trusty_linux: ignored (out of standard support) |
231 | diff --git a/retired/CVE-2019-14901 b/retired/CVE-2019-14901 |
232 | index 55b2aa0..b56ec9d 100644 |
233 | --- a/retired/CVE-2019-14901 |
234 | +++ b/retired/CVE-2019-14901 |
235 | @@ -36,7 +36,7 @@ CVSS: |
236 | nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
237 | |
238 | Patches_linux: |
239 | - break-fix: - local-2019-14901-fix |
240 | + break-fix: - local-2019-14901-fix|1e58252e334dc3f3756f424a157d1b7484464c40 |
241 | upstream_linux: needed |
242 | precise/esm_linux: ignored (was needs-triage ESM criteria) |
243 | trusty_linux: ignored (out of standard support) |
On Tue, Sep 14, 2021 at 04:15:47PM -0000, Kees Cook wrote: cve-tracker: linux-cves into ubuntu- cve-tracker: master. /code.launchpad .net/~kees/ ubuntu- cve-tracker/ +git/ubuntu- cve-tracker/ +merge/ 408583
> Kees Cook has proposed merging ~kees/ubuntu-
>
> Commit message:
> Cleaning up some kernel break/fix entries from the distant past and very recent.
>
> Requested reviews:
> Ubuntu Security Team (ubuntu-security)
>
> For more details, see:
> https:/
Hi, Kees.
Thanks a lot for your work on this. Here is my take on some of these.
> -- cve-tracker: linux-cves into ubuntu- cve-tracker: master.
> Your team Ubuntu Security Team is requested to review the proposed merge of ~kees/ubuntu-
> diff --git a/active/ CVE-2021- 27365 b/active/ CVE-2021- 27365 CVE-2021- 27365 CVE-2021- 27365 1/AV:L/ AC:L/PR: L/UI:N/ S:U/C:H/ I:H/A:H 1a49cee3d591b55 b11fd7a6d5 25a422ec97d1421 e28d97b7ee c29794427588b47 0ed06ff64e f9dbdf97a5bd92b 1a49cee3d591b55 b11fd7a6d5
> index dd06602..1e7aef6 100644
> --- a/active/
> +++ b/active/
> @@ -33,8 +33,8 @@ CVSS:
> nvd: CVSS:3.
>
> Patches_linux:
> - break-fix: - f9dbdf97a5bd92b
> - break-fix: - ec98ea7070e94cc
> + break-fix: 23d6fefbb3f6b1c
This doesn't make sense. 23d6fefbb3f6 ("scsi: iscsi: Fix in-kernel conn linux-iscsi- 5 Initiator: Transport class update for iSCSI)",
failure handling") comes after f9dbdf97a5bd ("scsi: iscsi: Verify lengths
on passthrough PDUs"). This looks more like 0896b7523026 ("[SCSI]
open-iscsi/
from 2005.
> + break-fix: a54a52caad4bd61 66cb7fa64e4e930 31fa2fda5d ec98ea7070e94cc 25a422ec97d1421 e28d97b7ee
a54a52caad4b ("[SCSI] iscsi: fixup set/get param functions") is so old that
I wouldn't bother adding it. We only support trusty and newer anyway.
However, we do add 1da177 as a break commit sometimes. I think the most use
of it is stating "the break commit is known". Because anything earlier than
v3.13 will give us the same triage results.
> upstream_linux: released (5.12~rc2) CVE-2021- 29154 b/active/ CVE-2021- 29154 CVE-2021- 29154 CVE-2021- 29154 1/AV:L/ AC:L/PR: L/UI:N/ S:U/C:H/ I:H/A:H fe412ee2cd489f7 658449b098 8a1e59fac5c3025 db39721f74 e4d4d456436bfb2 fe412ee2cd489f7 658449b098
> precise/esm_linux: ignored (was needs-triage ESM criteria)
> trusty_linux: ignored (out of standard support)
> diff --git a/active/
> index ee3abb3..2559949 100644
> --- a/active/
> +++ b/active/
> @@ -29,7 +29,7 @@ CVSS:
> nvd: CVSS:3.
>
> Patches_linux:
> - break-fix: - e4d4d456436bfb2
> + break-fix: 0a14842f5a3c0e8
OK, this is the commit that introduces BPF JIT. Finding a break commit here
would help us determine whether trusty is vulnerable. We know this can be
exploited with eBPF, but no idea if cBPF could be used here. And, then,
would the initial JIT implementation be vulnerable, or would it require
some later commit? I still would rather leave the break commit as "-",
stating that we still need to investigate this.
The remaining changes are retired CVEs. Do you know or expect that any of
the changes would result in a different set of currently supported kernels
being vulnerable when we thought they were not? Otherwise, would this be
consumed for kernels other than Ubuntu ones that would make it worth to
review and merge?
Thanks a lot.
Cas...