On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote: > El 25/10/16 a las 12:56, Miroslav Rovis escribió: >> Hi! > Hi Miroslav! >> Due to this bug: >> https://bugs.gentoo.org/show_bug.cgi?id=597554 >> >> I can't use the patched 4.7.9 of hardened sources. >> >> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched. > I guess you are talking about CVE-2016–5195 here. Please correct me if > mistaken. >> I looked up the sources, but am not able to see for sure how to patch >> 4.4.8-r1 myself. >> >> I have just rsynced my system and nothing new seems to have happened >> with 4.4.8-r1 yet. > If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This > is quite standard Gentoo policy, if a package is modifed after > publication (for example by backporting patches) the revision of the > packet has to be increased so that users will be able to use these when > updating. The only exceptions I know of are the -9999 packages for > bleeding edge trunks and some very minor changes (think for example of a > fix in the build system or a minor documentation fix) which a fix for > CVE-2016–5195 clearly wouldn't be. > > You can read more on the Gentoo project revision policy for ebuilds at > https://devmanual.gentoo.org/general-concepts/ebuild-revisions/ >> Is thare patching needed for those stable hardened sources and will >> there be a patch soon? > According to > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails > CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched > and is needed to protect against this issue, as for whether there will > or not be a backported patch you should ask blueness but my guess is > that there won't be one unless somebody provides such backported patch > to blueness. > > I'm CCing the Gentoo Hardened user list as other users may be able to > provide more and better input on this. > > Sincerely, > Francisco Blas Izquierdo Riera (klondike) >
I'm testing 4.7.10 and will have it stabilized soon. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
