On Thursday, February 06, 2014 02:12:59 you wrote:
On Wed, Feb 5, 2014 at 12:11 PM, Jason
On Wednesday, February 05, 2014 10:55:19 Marcus
On Wed, Feb 05, 2014 at 10:51:37AM +0100, Stefan
did I miss something or is this  still unpatched in openSUSE 12.3
and 13.1 kernels?
zypper in linux-sources
grep -r -e "if (get_compat_timespec(&ktspec, timeout))" /usr/src/*
there was the expected output for the _unpatched_ kernel.
Much worse, the "CONFIG_X86_X32=y" (for openSUSE 13.1) and
"CONFIG_X86_32=y" (for openSUSE 12.3) seems to be available in *every*
kernel configuration. Is there a chance to use any kernel parameters
deactivating this problem? I didn't find any solution.
Manually patching the kernel is no option for me. In the case of
patching myself and the assumption that it will not be fixed in the
repositories I will probably end up repairing this after every kernel
The kernel updates for 12.3 and 13.1 are in the update-test repos
and will be released hopefully this week after some smoketesting.
You can check them out already at
Our bugzilla for this is
My unsolicited two cents:
Was following this specific vuln on the net and I have to say, the release
of patched kernels for 12.3/13.1 so late isn't acceptable.
Not to delve into what you'd need to do to actually _get_ root
but to point out that _every_ major distro out there had it patched in a
matter of day or two.
Two days ago POC was released too:https://github.com/saelo/cve-2014-0038
yet for a few line patch kernels lie in testing.
This is not a POC, it is a fully working local root exploit.
Sure, but it isn't malicious. Semantics aside, we can both agree it works and
is in public.
But what hurts most is that CONFIG_X86_X32 is enabled in openSUSE
kernels without any reason.
To their defense, most of major distros have it enabled by default bar Fedora
which explicitly stated they won't and a few other, minor ones.
Actually, to correct OP, this has nothing to do with X86_32, it affects only
newish X32 abi.
It is the casual approach to the subject that got me. I realize people are
busy etc. but fix was in mainline 6 days ago and it isn't something that
requires a week of testing.
Anyway, I don't want to offend anyone here and it isn't my intention,
apologies if it was or could be taken as such. You (oSS devs) have my utmost
respect for the work being done and the product is free, done mostly in
people's free time so I shouldn't be complaining.
NB: Resent correctly
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org