Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#40715 - [linux] Linux kernel futex local privilege escalation (CVE-2014-3153)

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Thursday, 05 June 2014, 17:47 GMT
Last edited by Tobias Powalowski (tpowa) - Sunday, 08 June 2014, 19:21 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Thomas B├Ąchler (brain0)
Andreas Radke (AndyRTR)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

There is a serious privilege escalation issue in the kernel:

http://seclists.org/oss-sec/2014/q2/467

It's a bit worse than the usual ones, because `futex` is a very common system call permitted inside sandboxes like the ones used by Chromium, Tor and OpenSSH.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Sunday, 08 June 2014, 19:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  3.14.6
Comment by Daniel Micay (thestinger) - Thursday, 05 June 2014, 18:03 GMT
The linux-lts package also needs to be fixed but I didn't include it in the title because I was unaware when I reported the issue. It's dealt with in linux-grsec by 3.14.5.201406051310-1 (as part of the patchset).
Comment by Claire Farron (clfarron4) - Saturday, 07 June 2014, 13:38 GMT
I extracted these (the first four) from the .mbox file that the submitter used to compress all of them.

I'll test them later with my AUR packages (linux-lts312/-ck/312-ck).

NOTE: From what I understand, 0003-futex-2.6.32.patch is a correction of 0003-futex for something.
Comment by Daniel Micay (thestinger) - Saturday, 07 June 2014, 14:26 GMT
The patches should be applied from Linus' tree, now that they're upstream. There are 2 earlier futex-related patches to apply before these 4 too.
Comment by Claire Farron (clfarron4) - Saturday, 07 June 2014, 21:31 GMT
It appears there is no need to add linux-lts to this report. The 3.10.42 release contains the patches for CVE-2014-3153 (from looking at the changelog): https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.42
Comment by Daniel Micay (thestinger) - Sunday, 08 June 2014, 03:57 GMT
Arch is still on 3.10.41 (at least in [core]) which is vulnerable. The futex fixes for the non-LTS kernel are in 3.14.6, which needs to be packaged and then pushed to [core] for this to be closed.
Comment by Daniel Micay (thestinger) - Sunday, 08 June 2014, 13:35 GMT
The LTS package is now in [core], and the fixed linux version is in [testing]. The bug can be closed when that's moved to [core].

Loading...