Mike Pagano's Weblog

Seems the patch I committed for the fix was corrupted.  So, I am rebuilding and releasing kernels for 3.2 , 3.1 and 3.0.

Thanks for wired for pointing this out.  I will be removing the ones from yesterday.

The following kernels now contain the fix:

gentoo-sources-3.2.1-r2

gentoo-sources-3.1.10-r1

gentoo-sources-3.0.17-r2

I just released gentoo-sources-3.2.1-r1 for Linux Local Privilege Escalation via SUID /proc/pid/mem .

I plan on creating releases for additional kernels with this patch through the day.

See the link for more info on the privilege escalation.

The following kernel versions contain the patch:

gentoo-sources-3.2.1-r1

gentoo-sources-3.1.10

gentoo-sources-3.0.17-r1

Attention Gentoo RAID10 users running Linux kernel 3.1.0.

There is a serious bug introduced in the 3.1.0 code. The Gentoo Kernel Team advises any of our RAID10 users running 3.1.0 (vanilla or gentoo-sources) to patch their kernel or immediately upgrade to gentoo-sources-3.1.0-r1 which includes the upstream patch to correct the issue.

Upstream considers this a “serious flaw”.

From the original patch submission on LKML:

“Anyone running RAID10 with 3.1 is advised to either apply this patch or revert an earlier kernel as soon as possible. In the mean time, remove any hot spares from an RAID10 array.”

From the patch:

“It would normally be possible to recover the data, but that would need care and is not guaranteed.”

Summary: RAID10 3.1.0 kernel users, please upgrade to gentoo-sources-3.1.0-r1 or patch your kernel manually.

Linux 3.0 is now released for Gentoo users in both vanilla and gentoo-source versions. These two ebuilds should be hitting the mirrors in the next few hours.

Currently, deblob support is not available due to the kernel tarball being named 3.0 and the deblob script being 3.0.0. The eclass needs to be looked at to see how to handle this. It would be helpful if everything was named either 3.0 or 3.0.0. A mix makes things a bit more challenging.

Just a quick note to announce gentoo-sources-2.6.38 has been released which includes the fbcondecor patch. Also note that the per-session group scheduling patch is included in this release from upstream. I also committed vanilla-sources-2.6.38, as well.

The Gentoo Kernel Team (thanks, asn!) have released 3 patched kernels that cover the Econet root exploit described at: http://lwn.net/Articles/419141/

This covers (CVE-2010-3850), (CVE-2010-3849) and (CVE-2010-4258).

The following gentoo-sources contain the fixes: gentoo-sources-2.6.36-r4, gentoo-sources-2.6.35-r14 and gentoo-sources-2.6.32-r23.

Edit: 2.6.36-r4, not r6, which does not exist, yet.

If you haven’t heard about the new ~200 line patch which, for some users, has improved interactivity on the desktop, you can read about it here.

I have released a masked version of gentoo-sources (gentoo-sources-2.6.36-r2) which contains the backport to this kernel version written by the original author.

If anyone wants to try this patch on 2.6.36, you can just unmask gentoo-sources-2.6.36-r2, and try it out.

Mike

Attention all Media, Gentoo users and my fellow Gentoo devs:

A new  kernel vulnerability has been reported and the gentoo bug has been filed. Within 4 hours of this filing, the kernel team has released the following:

The fix for CVE-2010-3904 has been back ported to all gentoo-source versions that are currently supported. (2.6.32-rX, 2.6.34-rX and 2.6.35-rX)

This fix is now released in the following genpatches:

genpatches-2.6.35-12
genpatches-2.6.34-14
genpatches-2.6.32-25

The following newly released gentoo-sources kernels contain the patch:

gentoo-sources-2.6.35-r11
gentoo-sources-2.6.34-r12
gentoo-sources-2.6.32-r20

The following stable request bugs have been filed for these kernels:

bug #341833 for gentoo-sources-2.6.32-r20
bug #341831 for gentoo-sources-2.6.34-r12

Please note that no stable request has been filed for 2.6.35-r11, as we wait for the prerequisite 30 days for the new baselayout to be requested to be stabled before we can do so.   If you are running a 2.6.35 gentoo-source kernel, please upgrade to the latest version. Note that as of this post, upstream has not released new vanilla kernel versions containing the fix.

In light of the recent kernel vulnerabilities, issues with our kernel stabilization policy have been brought to light.

The discussion and potential solution was initiated by Kerin Millar, one of our more technical users (who I would like to see become a dev).  He opened a bug and the discussion that followed can be read on bug #338739.

To sum up, we want to be able to stabilize kernels faster, especially in the case when a vulnerability is discovered.

We are looking to get agreement from the arch teams for the policy to be as follows:

For a new version release: 2.6.X, the stabilization will follow the same steps as it does today. We open a bug, and all the arches stabilize as they see fit.

Once this happens, any subsequent point release (2.6.X.y) will be automatically stabilized for any arches that had the previous version stabled.  This includes gentoo-sources, especially since sometimes security patches are not released for “older” kernels. (2.6.34, for example).

I appreciate arch team leads’ buy-in/alternative solutions/comments on the bug,  some already have.  The faster we can get a solid policy in place the faster we get security patched kernels to our users.

I appreciate everyone’s time and effort, I wanted to blog this so people don’t think the kernel team is doing nothing to address any identified shortcoming.

As always, feel free to contact me on any medium if you would like to discuss.

Mike

Let’s talk about kernel releases, the latest two kernel vulnerabilities, and what vanilla or gentoo-sources you should be running.

The two vulnerabilities I’m talking about are:

CVE-2010-3301 (http://bugs.gentoo.org/show_bug.cgi?id=337645)
CVE-2010-3081 (http://bugs.gentoo.org/show_bug.cgi?id=337659)

Kernel Versions

2.6.32
>=gentoo-sources-2.6.32-r18 and vanilla-sources-2.6.32.23 contain the fixes for both CVE-2010-3081 and CVE-2010-3301.
stable request: http://bugs.gentoo.org/show_bug.cgi?id=338317

2.6.34
>=gentoo-sources-2.6.34-r11 (and no vanilla 2.6.34) contain the fixes for both CVE-2010-3081 and CVE-2010-3301.
stable request: http://bugs.gentoo.org/show_bug.cgi?id=339819

2.6.35
>=gentoo-sources-2.6.35-r8 >= vanilla-sources-2.6.35.5 contain the fixes for both CVE-2010-3081 and CVE-2010-3301.
2.6.35 will only be stabilized after the new baselayout 1.2.14-r1 has been in the tree for 30 days. I described the problem in an earlier blog post so I will not rehash the whole story

If *anyone* feels a kernel version needs to be stabilized we have this cool thing called bugzilla.  Open a bug! We also have this other cool thing (I don’t think Gentoo invented it, not sure) called IRC.  I am on IRC 24/7 and will always look to see if someone highlights my name. Talk to me first. Then feel free to bash me if I don’t respond in our user’s best interest. I always try to do what’s best for the community and if I am slacking, it’s only due to life/wife/family/job.

The gentoo-sources team actively supports gentoo-source users. No matter the keyword state. We used to only support two versions (current release and 1 – current release). But now we support the latest upstream LTS as well.

We would also welcome any users or devs who are interested in maintaining the kernel at Gentoo to join the team.

Hope this helps clarify things, always feel free to reach out to me.

Mike