FS#56647 - https://security.archlinux.org/CVE-2017-14954 accuracy
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Saturday, 09 December 2017, 16:48 GMT
Last edited by Eli Schwartz (eschwartz) - Saturday, 09 December 2017, 23:48 GMT
Opened by loqs (loqs) - Saturday, 09 December 2017, 16:48 GMT
Last edited by Eli Schwartz (eschwartz) - Saturday, 09 December 2017, 23:48 GMT
|
Details
Description:
The arch advisory seems to contain multiple factual errors. This is not disputing CVE-2017-14954 but the advisories attribution to various arch packages and versions. I did not file this for instance as a bug against linux-lts as linux-lts was never affected by the issue so listing a none bug to correct an issue to me made less sense than filing it against Web Sites. I tried contacting anthraxx via the email address listed on https://www.archlinux.org/people/developers/ as he is the only listed developer from the Security Team. Below is the working I provided by email. Working: The orginal report [1] references [2] as the fix which includes the text "Cc: stable@vger.kernel.org # v4.13" meaning backport for v4.13 only it also references [3] as the original commit the introduced the issue. [4] shows the original issue was introduced during v4.13-rc1. [5] shows the fix was fix was applied during v4.14-rc3. [6] shows the fix was backported in [7] and [8] shows it was applied with v4.13.5. [9] lists linux 4.13.8-1 as vulnerable which contradicts the [7] and [8]. [10] and [11] returning no results show the issue and fix are not referenced in 4.9 which is consistent with upstream only backporting it to v4.13. This contradicts [9] which lists 4.9.56-1 as vulnerable. [9] Also lists linux-zen 4.13.9-1 as vulnerable. [12] the PKGBUILD lists [13] as the linux-zen specific patch contains no patch for kernel/exit.c so the backported fix is not altered by linuz-zen so linux-zen 4.13.9-1 does not appear vulnerable contradicting [9]. The proof of concept [14] produces [15] which appears to validate the previous. 1 https://www.cvedetails.com/cve-details.php?cve_id=CVE-2017-14954 2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 3 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e95a225901a5d2fd140f14b4302805cecc22da7 4 git tag --contains 7e95a225901a5d2fd140f14b4302805cecc22da7 v4.13 v4.13-rc1 v4.13-rc2 v4.13-rc3 v4.13-rc4 v4.13-rc5 v4.13-rc6 v4.13-rc7 v4.13.1 v4.13.10 v4.13.11 v4.13.12 v4.13.13 v4.13.14 v4.13.15 v4.13.16 v4.13.2 v4.13.3 v4.13.4 v4.13.5 v4.13.6 v4.13.7 v4.13.8 v4.13.9 v4.14 v4.14-rc1 v4.14-rc2 v4.14-rc3 v4.14-rc4 v4.14-rc5 v4.14-rc6 v4.14-rc7 v4.14-rc8 v4.14.1 v4.14.2 v4.14.3 v4.15-rc1 5 git tag --contains 6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 v4.14 v4.14-rc3 v4.14-rc4 v4.14-rc5 v4.14-rc6 v4.14-rc7 v4.14-rc8 v4.14.1 v4.14.2 v4.14.3 v4.15-rc1 6 git checkout v4.13.9 HEAD is now at 5b61412afb66... Linux 4.13.9 git log --grep=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 commit c8b679ba7c65457e45af7c086c5df0748522aa2f Author: Al Viro <viro@zeniv.linux.org.uk> Date: Fri Sep 29 13:43:15 2017 -0400 fix infoleak in waitid(2) commit 6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 upstream. kernel_waitid() can return a PID, an error or 0. rusage is filled in the first case and waitid(2) rusage should've been copied out exactly in that case, *not* whenever kernel_waitid() has not returned an error. Compat variant shares that braino; none of kernel_wait4() callers do, so the below ought to fix it. Reported-and-tested-by: Alexander Potapenko <glider@google.com> Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 7 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c8b679ba7c65457e45af7c086c5df0748522aa2f 8 git tag --contains c8b679ba7c65457e45af7c086c5df0748522aa2f v4.13.10 v4.13.11 v4.13.12 v4.13.13 v4.13.14 v4.13.15 v4.13.16 v4.13.5 v4.13.6 v4.13.7 v4.13.8 v4.13.9 [9] https://security.archlinux.org/CVE-2017-14954 [10] $ git log --grep=7e95a225901a5d2fd140f14b4302805cecc22da7 [11] $ git log --grep=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 [12] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/linux-zen&id=19f26e3ac841240e1bb172546aea33a9746930f9 [13] https://pkgbuild.com/~heftig/zen-patches/zen-4.13.9-db74c362426d1d03ff8c7940757a502b0ea0cc80.diff.xz [14] https://grsecurity.net/~spender/exploits/wait_for_kaslr_to_be_effective.c [15] linux-lts 4.9.56-1 Leak size=144 bytes linux-hardened 4.13.4.a-1 Leak size=144 bytes Kernel base: 0xffffffffbd000000 linux-zen 4.13.9-1 Leak size=144 bytes linux 4.13.8-1 Kernel base: 0xffffffffbd000000 |
This task depends upon
EDIT: fixed