Re: Bug #266882 still not fixed

Fri, 07 Jan 2005 08:53:05 -0600 

On Mon, Jan 03, 2005 at 03:25:41PM -0800, Matt Zimmerman wrote:
> On Wed, Dec 15, 2004 at 11:27:58AM +0900, Horms wrote:
> 
> > On Wed, Dec 15, 2004 at 12:59:24AM +0100, Tomasz Malesinski wrote:
> > > Why hasn't the bug #266882 (CAN-2004-0554 i387.h in kernel: asm
> > > volatile("fnclex ; fwait");) has not been fixed in 2.4.18 for so long?
> > 
> > That and a host of others. Security-Team, Is there ever going to be a 
> > new kernel for Woody?
> 
> Any patches that you can provide would be gratefully received.  The kernel
> has a huge number of vulnerabilities, and more are discovered all the time.
> Since the resources of the security team are limited, this work needs to be
> distributed to package maintainers wherever possible.

The bug #266882 (CAN-2004-0554) is discussed at:

http://linuxreviews.org/news/2004/06/11_kernel_crash/

There is an exploit code and a link to the patch:

http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]

which apllies cleanly and fixes the issue in 2.4.18 Debian kernel.

I was also looking for the fix of the bug CAN-2004-1016. It is fixed
in the upstream by the following patches:

http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]
http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED]

I have applied them to 2.4.18 sources. They applied almost cleanly,
with some offsets and some hunks ignored due to the fact that some
architectures appeared after 2.4.18 and the architecture-specific
files for mips64 in 2.4.18 does not contain the vulnerable code.

With that patch the kernel was immune to the exploit included in the
original advisory (http://isec.pl/vulnerabilities/isec-0019-scm.txt).

Another issue is described at:

http://isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt

Most of the bugs mentioned there is fixed in the upstream by the patch:

http://linux.bkbits.net:8080/linux-2.6/[EMAIL PROTECTED]

Applying it to 2.4.18 required little manual intervention. The patch
however does not seem to fix the 5th bug in the advisory, which is
also exploited by the code included there. I am not even sure whether
this is fixed in the upstream at all (I have not tested the latest
kernels, though).

Would backported patches be useful to the Security Team or would they
only increase the traffic on the mailing lists? As I said, the patch
command had almost no problems applying patches from the BitKeeper.

Tomasz Malesinski

Reply via email to