View previous topic :: View next topic |
Author |
Message |
Duncan Mac Leod Apprentice


Joined: 02 May 2004 Posts: 251 Location: Germany
|
Posted: Sun Feb 26, 2017 5:27 pm Post subject: gentoo-sources 3.10.105 - fix for CVE-2017-6074 ? [solved] |
|
|
I've seen that Mike has released gentoo-sources 4.1.38-r1 which contains the fix fpr CVE-2017-6074.
Is this fix already included in gentoo-sources 3.10.105 ?
Last edited by Duncan Mac Leod on Mon Feb 27, 2017 8:09 pm; edited 1 time in total |
|
Back to top |
|
 |
eccerr0r Watchman

Joined: 01 Jul 2004 Posts: 7267 Location: almost Mile High in the USA
|
Posted: Mon Feb 27, 2017 1:47 am Post subject: |
|
|
Quick scan of the patches in gentoo-sources-3.10.105 => CVE-2017-6074 NOT patched in this version.
Looks like:
gentoo-sources-4.4.52 has CVE-2017-6074 patched
gentoo-sources-4.9.13 has CVE-2017-6074 patched _________________ Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching? |
|
Back to top |
|
 |
khayyam Watchman


Joined: 07 Jun 2012 Posts: 6228 Location: Room 101
|
Posted: Mon Feb 27, 2017 4:07 am Post subject: |
|
|
Duncan Mac Leod ...
you should be able to apply the patch ... at least with 3.12.70 it applies cleanly:
Code: | % uname -r
3.12.70-ck
% wget --trust-server-names=on https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 -O /tmp/cve-2017-6074.patch
% su -
# patch -p1 --dry-run -d /usr/src/linux </tmp/cve-2017-6074.patch
checking file net/dccp/input.c
# patch -p1 -d /usr/src/linux </tmp/cve-2017-6074.patch
patching file net/dccp/input.c |
HTH & best ... khay |
|
Back to top |
|
 |
Hu Moderator

Joined: 06 Mar 2007 Posts: 14360
|
Posted: Mon Feb 27, 2017 4:22 am Post subject: |
|
|
Also, since you undoubtedly build your own kernel, you have the option of excluding from compilation the affected code, in which case it would not matter whether you apply the patch. |
|
Back to top |
|
 |
eccerr0r Watchman

Joined: 01 Jul 2004 Posts: 7267 Location: almost Mile High in the USA
|
Posted: Mon Feb 27, 2017 6:25 am Post subject: |
|
|
If you modularized the dccp code and you don't need dccp, you can remove those module files until you get a known clean version:
# rm /lib/modules/kernelversion/kernel/net/dccp/dccp*ko
Instead of deleting you could prevent the kernel from autoloading the modules: Swiped from redhat:
# echo "install dccp /bin/true" >> /etc/modprobe.d/disable-dccp.conf
Note that like the ipv6 module, likely it can't be rmmoded without a reboot because of the large refcount that occurs when it get inserted.
Of course if you actually use dccp (you would know if you're using it, and mostly it's for routers it seems), you would have to patch. For me, I don't use dccp, and thus I can procrastinate. _________________ Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching? |
|
Back to top |
|
 |
Duncan Mac Leod Apprentice


Joined: 02 May 2004 Posts: 251 Location: Germany
|
Posted: Mon Feb 27, 2017 8:10 pm Post subject: |
|
|
Mike has just released gentoo-sources 3.10.105-r1 which contains the fix - thank you, Mike! |
|
Back to top |
|
 |
|