On Tue, Oct 19, 2010 at 10:46:09AM +0100, Dave Howorth wrote:
Yesterday I was offered a kernel update for an 11.2 system. I was curious enough to look at the description and then to look further and was somewhat surprised at what I found. The description was:
====
kernel-3323 (noarch)
This update is needed to fix a security vulnerability with this package. The updated openSUSE 11.2 kernel fixes the following security bugs: CVE-2010-3310: Local users could corrupt kernel heap memory via ROSE sockets. CVE-2010-2962: Local users could write to any kernel memory location via the i915 GEM ioctl interface. Additionally the update restores the compat_alloc_userspace() inline function and includes several other bug fixes.
For more information about bugs fixed by this update please visit these websites: • https://bugzilla.novell.com/show_bug.cgi?id=614670. • https://bugzilla.novell.com/show_bug.cgi?id=640721. • https://bugzilla.novell.com/show_bug.cgi?id=642009. • https://bugzilla.novell.com/show_bug.cgi?id=644046.
====
I was initially surprised by the mention of compat_alloc_userspace(), which is very much like the compat_alloc_user_space() that caused so much angst a month or so ago.
This is a fix for this Angst problem... The fix we did is really for building the ATI driver again as before.
So I decided to check the individual bug reports.
I was a bit surprised by the first one, which causes major corruption of XFS filesystems and which has been fixed but left outstanding for quite some time! That doesn't encourage me to rely on the system for my data.
I was surprised in a different way by the other three, because it's not possible to access them! At least, not unless you have a Novell account and are prepared to login to it. I wasn't last night.
This would not help either, as they are Novell only security bugs.
Is it policy that kernel updates are sent out without open documentation of what they contain? I'd have expected that to violate the GPL but then I haven't thought about it too hard yet.
The sources are included, so the GPL requirements are satisfied. rpm -q --changelog kernel-default | less will show the more complete RPM changelog. The inaccessible bugs are usually the security bugs, which are by default not open to the public. I have opened bugs 644046, 640721 and 640721 to the public now. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org