gentoo-sources 3.10.105 - fix for CVE-2017-6074 ? [solved]

Duncan Mac Leod

I've seen that Mike has released gentoo-sources 4.1.38-r1 which contains the fix fpr CVE-2017-6074.

Is this fix already included in gentoo-sources 3.10.105 ?

eccerr0r · Posted: Mon Feb 27, 2017 1:47 am Post subject:

Quick scan of the patches in gentoo-sources-3.10.105 => CVE-2017-6074 NOT patched in this version.

Looks like:
gentoo-sources-4.4.52 has CVE-2017-6074 patched
gentoo-sources-4.9.13 has CVE-2017-6074 patched
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?

khayyam · Posted: Mon Feb 27, 2017 4:07 am Post subject:

Duncan Mac Leod ...

you should be able to apply the patch ... at least with 3.12.70 it applies cleanly:

Hu · Moderator Joined: 06 Mar 2007 Posts: 14931

Also, since you undoubtedly build your own kernel, you have the option of excluding from compilation the affected code, in which case it would not matter whether you apply the patch.

eccerr0r · Posted: Mon Feb 27, 2017 6:25 am Post subject:

If you modularized the dccp code and you don't need dccp, you can remove those module files until you get a known clean version:

# rm /lib/modules/kernelversion/kernel/net/dccp/dccp*ko

Instead of deleting you could prevent the kernel from autoloading the modules: Swiped from redhat:

# echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf

Note that like the ipv6 module, likely it can't be rmmoded without a reboot because of the large refcount that occurs when it get inserted.

Of course if you actually use dccp (you would know if you're using it, and mostly it's for routers it seems), you would have to patch. For me, I don't use dccp, and thus I can procrastinate.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?

Duncan Mac Leod · Posted: Mon Feb 27, 2017 8:10 pm Post subject:

Mike has just released gentoo-sources 3.10.105-r1 which contains the fix

- thank you, Mike!