[opensuse] kernel update oddities
Yesterday I was offered a kernel update for an 11.2 system. I was curious enough to look at the description and then to look further and was somewhat surprised at what I found. The description was: ==== kernel-3323 (noarch) This update is needed to fix a security vulnerability with this package. The updated openSUSE 11.2 kernel fixes the following security bugs: CVE-2010-3310: Local users could corrupt kernel heap memory via ROSE sockets. CVE-2010-2962: Local users could write to any kernel memory location via the i915 GEM ioctl interface. Additionally the update restores the compat_alloc_userspace() inline function and includes several other bug fixes. For more information about bugs fixed by this update please visit these websites: • https://bugzilla.novell.com/show_bug.cgi?id=614670. • https://bugzilla.novell.com/show_bug.cgi?id=640721. • https://bugzilla.novell.com/show_bug.cgi?id=642009. • https://bugzilla.novell.com/show_bug.cgi?id=644046. ==== I was initially surprised by the mention of compat_alloc_userspace(), which is very much like the compat_alloc_user_space() that caused so much angst a month or so ago. So I decided to check the individual bug reports. I was a bit surprised by the first one, which causes major corruption of XFS filesystems and which has been fixed but left outstanding for quite some time! That doesn't encourage me to rely on the system for my data. I was surprised in a different way by the other three, because it's not possible to access them! At least, not unless you have a Novell account and are prepared to login to it. I wasn't last night. Is it policy that kernel updates are sent out without open documentation of what they contain? I'd have expected that to violate the GPL but then I haven't thought about it too hard yet. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Oct 19, 2010 at 10:46:09AM +0100, Dave Howorth wrote:
Yesterday I was offered a kernel update for an 11.2 system. I was curious enough to look at the description and then to look further and was somewhat surprised at what I found. The description was:
====
kernel-3323 (noarch)
This update is needed to fix a security vulnerability with this package. The updated openSUSE 11.2 kernel fixes the following security bugs: CVE-2010-3310: Local users could corrupt kernel heap memory via ROSE sockets. CVE-2010-2962: Local users could write to any kernel memory location via the i915 GEM ioctl interface. Additionally the update restores the compat_alloc_userspace() inline function and includes several other bug fixes.
For more information about bugs fixed by this update please visit these websites: • https://bugzilla.novell.com/show_bug.cgi?id=614670. • https://bugzilla.novell.com/show_bug.cgi?id=640721. • https://bugzilla.novell.com/show_bug.cgi?id=642009. • https://bugzilla.novell.com/show_bug.cgi?id=644046.
====
I was initially surprised by the mention of compat_alloc_userspace(), which is very much like the compat_alloc_user_space() that caused so much angst a month or so ago.
This is a fix for this Angst problem... The fix we did is really for building the ATI driver again as before.
So I decided to check the individual bug reports.
I was a bit surprised by the first one, which causes major corruption of XFS filesystems and which has been fixed but left outstanding for quite some time! That doesn't encourage me to rely on the system for my data.
I was surprised in a different way by the other three, because it's not possible to access them! At least, not unless you have a Novell account and are prepared to login to it. I wasn't last night.
This would not help either, as they are Novell only security bugs.
Is it policy that kernel updates are sent out without open documentation of what they contain? I'd have expected that to violate the GPL but then I haven't thought about it too hard yet.
The sources are included, so the GPL requirements are satisfied. rpm -q --changelog kernel-default | less will show the more complete RPM changelog. The inaccessible bugs are usually the security bugs, which are by default not open to the public. I have opened bugs 644046, 640721 and 640721 to the public now. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 19 Oct 2010 12:08:01 +0200, Marcus Meissner <meissner@suse.de> wrote:
This would not help either, as they are Novell only security bugs.
Then what good is there in giving the URLs in the first place? Whoever does those notices should make sure the info is reabable by everyone, shouldn't he? Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Oct 19, 2010 at 12:26:59PM +0200, Philipp Thomas wrote:
On Tue, 19 Oct 2010 12:08:01 +0200, Marcus Meissner <meissner@suse.de> wrote:
This would not help either, as they are Novell only security bugs.
Then what good is there in giving the URLs in the first place? Whoever does those notices should make sure the info is reabable by everyone, shouldn't he?
Previously those staid public. We now can manually review the bugs, screen comments that should stay private and open them. It is just work necessary. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Oct 19, 2010 at 01:41:33PM +0200, Marcus Meissner wrote:
On Tue, Oct 19, 2010 at 12:26:59PM +0200, Philipp Thomas wrote:
On Tue, 19 Oct 2010 12:08:01 +0200, Marcus Meissner <meissner@suse.de> wrote:
This would not help either, as they are Novell only security bugs.
Then what good is there in giving the URLs in the first place? Whoever does those notices should make sure the info is reabable by everyone, shouldn't he?
Previously those staid public.
I meant private of course.
We now can manually review the bugs, screen comments that should stay private and open them. It is just work necessary.
Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Marcus Meissner wrote:
Is it policy that kernel updates are sent out without open documentation of what they contain? I'd have expected that to violate the GPL but then I haven't thought about it too hard yet.
The sources are included, so the GPL requirements are satisfied.
rpm -q --changelog kernel-default | less will show the more complete RPM changelog.
The inaccessible bugs are usually the security bugs, which are by default not open to the public. I have opened bugs 644046, 640721 and 640721 to the public now.
Thanks Marcus for your very consdiderate reply. You've cheered me up today! Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Dave Howorth -
Marcus Meissner -
Philipp Thomas