linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Patch for CVE-2004-1334 ???
@ 2006-01-23 17:39 Syed Ahemed
  2006-01-23 18:14 ` Diego Calleja
  2006-01-23 22:31 ` Willy Tarreau
  0 siblings, 2 replies; 7+ messages in thread
From: Syed Ahemed @ 2006-01-23 17:39 UTC (permalink / raw)
  To: linux-kernel

Hi
I do know this community is busy with more important things , but i am
out of ideas/search  on this one.
How do i get the patch for the CVE-2004-1334 ? I have an opensource
linux 2.4.28 on my production server.

If you think this question is stupid enough , then i would eventually
write a patch for this .The trouble i have is on applying the patch
cos my understanding of GPL is pretty confusing.

Please point me to the patch for the above .

Regards
King khan

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Patch for CVE-2004-1334 ???
  2006-01-23 17:39 Patch for CVE-2004-1334 ??? Syed Ahemed
@ 2006-01-23 18:14 ` Diego Calleja
  2006-01-25  8:56   ` Syed Ahemed
  2006-01-23 22:31 ` Willy Tarreau
  1 sibling, 1 reply; 7+ messages in thread
From: Diego Calleja @ 2006-01-23 18:14 UTC (permalink / raw)
  To: Syed Ahemed; +Cc: linux-kernel

El Mon, 23 Jan 2006 23:09:49 +0530,
Syed Ahemed <kingkhan@gmail.com> escribió:

> Hi
> I do know this community is busy with more important things , but i am
> out of ideas/search  on this one.
> How do i get the patch for the CVE-2004-1334 ? I have an opensource

Well, 2.4.32 fixes that bug and many others security. Any reason why you 
aren't using the latest version.

You can find links to the changesets in the original security advisory
from guninski (easy to find in google)

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Patch for CVE-2004-1334 ???
  2006-01-23 17:39 Patch for CVE-2004-1334 ??? Syed Ahemed
  2006-01-23 18:14 ` Diego Calleja
@ 2006-01-23 22:31 ` Willy Tarreau
  1 sibling, 0 replies; 7+ messages in thread
From: Willy Tarreau @ 2006-01-23 22:31 UTC (permalink / raw)
  To: Syed Ahemed; +Cc: linux-kernel

Hi,

On Mon, Jan 23, 2006 at 11:09:49PM +0530, Syed Ahemed wrote:
> Hi
> I do know this community is busy with more important things , but i am
> out of ideas/search  on this one.
> How do i get the patch for the CVE-2004-1334 ? I have an opensource
> linux 2.4.28 on my production server.

I'm afraid 2.4-hf does not go that far backwards, it started at 2.4.29.
Git started even later. I've searched through http://linux.bkbits.net/
and I think that what you're looking for is here :

http://linux.bkbits.net:8080/linux-2.4/gnupatch@41b76e94BsJKm8jhVtyDat9ZM1dXXg

> If you think this question is stupid enough , then i would eventually
> write a patch for this .The trouble i have is on applying the patch
> cos my understanding of GPL is pretty confusing.

You don't have to worry, unless explicitly stated otherwise, patches
follow the same licence as the code they're for. So basically you can
apply a kernel patch from any other version to your kernel, and if you
know how to fix the bug by yourself (dangerous), that's fine too.

> Please point me to the patch for the above .

Please check above.

> Regards
> King khan

Regards,
Willy


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Patch for CVE-2004-1334 ???
  2006-01-23 18:14 ` Diego Calleja
@ 2006-01-25  8:56   ` Syed Ahemed
  2006-01-25 22:09     ` Willy Tarreau
  0 siblings, 1 reply; 7+ messages in thread
From: Syed Ahemed @ 2006-01-25  8:56 UTC (permalink / raw)
  To: Diego Calleja; +Cc: linux-kernel

The simple reason we do not intend to use the latest version is we run
some third party software which cant be front ported (pardon the slang
) to 2.4.29 and above.
As for the changeset by  guninski , i wish to ask about a one point
source of applying all the patches for 2.4.28 .I mean shouldn't all
the kernel security patches ( atleast the ones that have become CVE's)
be a part of kernel.org .Since there isn't any what is the reason ?
I dont want to go to Gentoo for one patch , red hat for another
....and GOD knows how many sites .
Torvalds is the GOD of open source , but am i asking for too much :-)





On 1/23/06, Diego Calleja <diegocg@gmail.com> wrote:
> El Mon, 23 Jan 2006 23:09:49 +0530,
> Syed Ahemed <kingkhan@gmail.com> escribió:
>
> > Hi
> > I do know this community is busy with more important things , but i am
> > out of ideas/search  on this one.
> > How do i get the patch for the CVE-2004-1334 ? I have an opensource
>
> Well, 2.4.32 fixes that bug and many others security. Any reason why you
> aren't using the latest version.
>
> You can find links to the changesets in the original security advisory
> from guninski (easy to find in google)
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Patch for CVE-2004-1334 ???
  2006-01-25  8:56   ` Syed Ahemed
@ 2006-01-25 22:09     ` Willy Tarreau
  2006-01-26 12:27       ` Syed Ahemed
  0 siblings, 1 reply; 7+ messages in thread
From: Willy Tarreau @ 2006-01-25 22:09 UTC (permalink / raw)
  To: Syed Ahemed; +Cc: Diego Calleja, linux-kernel

On Wed, Jan 25, 2006 at 02:26:51PM +0530, Syed Ahemed wrote:
> The simple reason we do not intend to use the latest version is we run
> some third party software which cant be front ported (pardon the slang
> ) to 2.4.29 and above.
> As for the changeset by  guninski , i wish to ask about a one point
> source of applying all the patches for 2.4.28 .I mean shouldn't all
> the kernel security patches ( atleast the ones that have become CVE's)
> be a part of kernel.org .Since there isn't any what is the reason ?

It's even more work for the person doing it. Maintaining the hotfixes
from 2.4.29 already takes me some time (not much more for 4 versions
than for one, what takes the most time is merging the patches, compiling
and releasing).

> I dont want to go to Gentoo for one patch , red hat for another
> ....and GOD knows how many sites .
> Torvalds is the GOD of open source , but am i asking for too much :-)

I can propose a deal to you. You send me a pointer to the patches that
need to be applied to 2.4.28 to make it as secure as 2.4.29, and I can
include 2.4.28 in my hotfix tree, so that you'll get regular updates
for free. I already have what is needed starting from 2.4.29, you just
have to point the 2.4.28-specific patches. It would time consuming for
me to review them all, but if someone like you has some interest in it,
it should be a win-win for both of us.

Simply send me the bkbits.net URLs, I should be able to do the rest.

Regards,
Willy


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Patch for CVE-2004-1334 ???
  2006-01-25 22:09     ` Willy Tarreau
@ 2006-01-26 12:27       ` Syed Ahemed
  0 siblings, 0 replies; 7+ messages in thread
From: Syed Ahemed @ 2006-01-26 12:27 UTC (permalink / raw)
  To: Willy Tarreau; +Cc: Diego Calleja, linux-kernel

Hi Willy.
Thanks a lot for the initiative , This is the brief list of
vulnerabilities i am concerned/aware about right now.Will keep looking
for patches in the days to come.
 Please feel free to ask for more help , I am ready to volunteer for
the cause of
making the open source kernel secure .

PS : Let me know the approach to get subsequent updates from you ?

1]http://www.openwall.com/linux/

 A] CAN-2004-1235
  Linux 2.4.29-ow1 is out. Linux 2.4.29, and thus 2.4.29-ow1, adds a
number of security fixes,   including to the x86/SMP page fault
handler (CAN-2005-0001) and the uselib(2)  (CAN-2004-1235) race
conditions, both discovered by Paul Starzetz. The potential of these 
bugs is a local root compromise. The uselib(2) bug does not affect
default builds of Linux kernels with the Openwall patch applied since
the vulnerable code is only compiled in if one explicitly enables
CONFIG_BINFMT_ELF_AOUT, an option introduced by the patch.


2] Same as above [CAN-2004-12345 but just fixes the uselib
vulnerabilty , I dont know again which one to pick

http://kerneltrap.org/node/4503
Marcelo Tosatti [interview] released the 2.4.29-rc1 Linux kernel with
"a SATA update [and a] bunch of network driver updates". He went on to
note, "more importantly it fixes a sys_uselib() vulnerability
discovered by Paul Starzetz". He adds, "[upgrading] is recommended for
users of v2.4.x mainline, distros should be releasing their updates
real soon now." The vulnerability allows local users to gain root
privileges:



3]  CAN-2004-1334
http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html

http://linux.bkbits.net:8080/linux-2.4/cset@41b76e94BsJKm8jhVtyDat9ZM1dXXg
http://linux.bkbits.net:8080/linux-2.4/cset@41b766beodCDEFPbjDRLoUUUxw4Z6w
http://linux.bkbits.net:8080/linux-2.4/cset@41b77314ZtyUzWzZFzaCRGoQc6hKcw
http://linux.bkbits.net:8080/linux-2.4/cset@41c01f2bHFmPwBYQmce6Aw0owIyqkg



4] CAN-2004-1016

https://lwn.net/Articles/115726/



Thanks
King Khan

On 1/26/06, Willy Tarreau <willy@w.ods.org> wrote:
> On Wed, Jan 25, 2006 at 02:26:51PM +0530, Syed Ahemed wrote:
> > The simple reason we do not intend to use the latest version is we run
> > some third party software which cant be front ported (pardon the slang
> > ) to 2.4.29 and above.
> > As for the changeset by  guninski , i wish to ask about a one point
> > source of applying all the patches for 2.4.28 .I mean shouldn't all
> > the kernel security patches ( atleast the ones that have become CVE's)
> > be a part of kernel.org .Since there isn't any what is the reason ?
>
> It's even more work for the person doing it. Maintaining the hotfixes
> from 2.4.29 already takes me some time (not much more for 4 versions
> than for one, what takes the most time is merging the patches, compiling
> and releasing).
>
> > I dont want to go to Gentoo for one patch , red hat for another
> > ....and GOD knows how many sites .
> > Torvalds is the GOD of open source , but am i asking for too much :-)
>
> I can propose a deal to you. You send me a pointer to the patches that
> need to be applied to 2.4.28 to make it as secure as 2.4.29, and I can
> include 2.4.28 in my hotfix tree, so that you'll get regular updates
> for free. I already have what is needed starting from 2.4.29, you just
> have to point the 2.4.28-specific patches. It would time consuming for
> me to review them all, but if someone like you has some interest in it,
> it should be a win-win for both of us.
>
> Simply send me the bkbits.net URLs, I should be able to do the rest.
>
> Regards,
> Willy
>
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Patch for CVE-2004-1334 ???
       [not found]   ` <5yOFI-5CN-19@gated-at.bofh.it>
@ 2006-01-25 14:43     ` Robert Hancock
  0 siblings, 0 replies; 7+ messages in thread
From: Robert Hancock @ 2006-01-25 14:43 UTC (permalink / raw)
  To: linux-kernel

Syed Ahemed wrote:
> The simple reason we do not intend to use the latest version is we run
> some third party software which cant be front ported (pardon the slang
> ) to 2.4.29 and above.
> As for the changeset by  guninski , i wish to ask about a one point
> source of applying all the patches for 2.4.28 .I mean shouldn't all
> the kernel security patches ( atleast the ones that have become CVE's)
> be a part of kernel.org .Since there isn't any what is the reason ?

It is "part of kernel.org", it's called 2.4.32. The kernel developers 
can hardly be expected to release a patch for every vulnerability 
against every possible kernel version ever released..

If you need guaranteed security patches against a specific version of 
the kernel you should likely be using a distribution kernel and not a 
vanilla kernel.

-- 
Robert Hancock      Saskatoon, SK, Canada
To email, remove "nospam" from hancockr@nospamshaw.ca
Home Page: http://www.roberthancock.com/


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2006-01-26 12:27 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-01-23 17:39 Patch for CVE-2004-1334 ??? Syed Ahemed
2006-01-23 18:14 ` Diego Calleja
2006-01-25  8:56   ` Syed Ahemed
2006-01-25 22:09     ` Willy Tarreau
2006-01-26 12:27       ` Syed Ahemed
2006-01-23 22:31 ` Willy Tarreau
     [not found] <5ydZz-2G1-7@gated-at.bofh.it>
     [not found] ` <5yetg-3us-31@gated-at.bofh.it>
     [not found]   ` <5yOFI-5CN-19@gated-at.bofh.it>
2006-01-25 14:43     ` Robert Hancock

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).