On Sat, Dec 02, 2017 at 04:20:40PM -0800, Guenter Roeck wrote:
On 12/01/2017 11:48 AM, Michal Kubecek wrote:
On Thu, Nov 30, 2017 at 10:37:40AM -0800, Guenter Roeck wrote:
Hi,
The fix for CVE-2017-16939 has been applied to v4.9.y, but not to v4.4.y and older kernels. However, I confirmed that running the published POC (see https://blogs.securiteam.com/index.php/archives/3535) does crash a 4.4 kernel.
I confirmed that the following two patches fix the problem in v4.4.y. Please consider applying them to v4.4.y (and possibly v3.18.y).
fc9e50f5a5a4e ("netlink: add a start callback for starting a netlink dump") 1137b5e2529a8 ("ipsec: Fix aborted xfrm policy dump crash")
My apologies for the noise if this is already under consideration.
It's a bit too big hammer. As Nicolai Stange noticed when we were
The hammer is just as big as the upstream hammer. Personally I prefer the upstream patch; I don't see a reason to deviate from upstream just because the upstream solution is more complex than necessary.
Comparing that little patch with the combination of the two commits, I would say we have a very different idea what "as big as" means. :-)
handling this for SLE12 (where fc9e50f5a5a4e would break kABI), it's
I didn't know that this is even a concern for stable releases. Is there some guideline that kABI changes should be avoided in stable releases ?
Not to my knowledge, stable updates break kABI quite often. I just mentioned it to explain why we had stronger motivation to find another solution.
Michal Kubecek